Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JIL-_Document_No._2500015903.cmd

Overview

General Information

Sample name:JIL-_Document_No._2500015903.cmd
Analysis ID:1580951
MD5:77be0aa379a1cae6efbaa06091238fc0
SHA1:28e485a4e1de330f0750458b6d5b8841af2fd095
SHA256:d7ab60ae836fe857b14fdc6e19147e60e8f74ede79562fa60b08cb5c3d4afd5f
Tags:cmduser-TeamDreier
Infos:

Detection

DBatLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
AI detected suspicious sample
Allocates many large memory junks
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 5252 cmdline: extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • x.exe (PID: 4256 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 33DE1300C5879C8093B210EA96359783)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4495741338.0000000002276000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000003.00000002.4509288253.000000007FB80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.x.exe.22765a8.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        3.2.x.exe.22765a8.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          3.2.x.exe.2830000.2.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 56%
            Multi AV Scanner detection for submitted file
            Source: JIL-_Document_No._2500015903.cmdReversingLabs: Detection: 39%
            Source: JIL-_Document_No._2500015903.cmdVirustotal: Detection: 34%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.9% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_028358B4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284E2F8 InternetCheckConnectionA,3_2_0284E2F8
            Source: x.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drString found in binary or memory: http://programania.com/en.htm
            Source: x.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drString found in binary or memory: http://programania.com/en.zip
            Source: x.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drString found in binary or memory: http://programania.com/en_source.zip
            Source: x.exe, 00000003.00000002.4508660114.000000002077C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://programania.com/index_ru.htm
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,3_2_0284DBB0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02847D00 NtWriteVirtualMemory,3_2_02847D00
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,3_2_0284DACC
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,3_2_0284DA44
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02848BAE GetThreadContext,SetThreadContext,NtResumeThread,3_2_02848BAE
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02848BB0 GetThreadContext,SetThreadContext,NtResumeThread,3_2_02848BB0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,3_2_0284D9F0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284EC74 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,3_2_0284EC74
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028320C43_2_028320C4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285D59A3_2_0285D59A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0283480C appears 931 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028344AC appears 73 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028344D0 appears 32 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02848824 appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028487A0 appears 54 times
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028346A4 appears 244 times
            Source: classification engineClassification label: mal80.troj.evad.winCMD@6/1@0/0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02837F5A GetDiskFreeSpaceA,3_2_02837F5A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02846D50 CoCreateInstance,3_2_02846D50
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
            Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\CAB05252.TMPJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: JIL-_Document_No._2500015903.cmdReversingLabs: Detection: 39%
            Source: JIL-_Document_No._2500015903.cmdVirustotal: Detection: 34%
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????s.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: JIL-_Document_No._2500015903.cmdStatic file information: File size 1268675 > 1048576

            Data Obfuscation

            barindex
            Yara detected DBatLoader
            Source: Yara matchFile source: 3.2.x.exe.22765a8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.x.exe.22765a8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.x.exe.2830000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4495741338.0000000002276000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509288253.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028487A0 LoadLibraryW,GetProcAddress,FreeLibrary,3_2_028487A0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285C2FC push 0285C367h; ret 3_2_0285C35F
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028332FC push eax; ret 3_2_02833338
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283635A push 028363B7h; ret 3_2_028363AF
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283635C push 028363B7h; ret 3_2_028363AF
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285C0AC push 0285C125h; ret 3_2_0285C11D
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285C1F8 push 0285C288h; ret 3_2_0285C280
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285C144 push 0285C1ECh; ret 3_2_0285C1E4
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028486C0 push 02848702h; ret 3_2_028486FA
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283673E push 02836782h; ret 3_2_0283677A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02836740 push 02836782h; ret 3_2_0283677A
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283C4F4 push ecx; mov dword ptr [esp], edx3_2_0283C4F9
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284E5B4 push ecx; mov dword ptr [esp], edx3_2_0284E5B9
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283D528 push 0283D554h; ret 3_2_0283D54C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283CB0F pushfd ; iretd 3_2_0283CB3D
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283CB57 push 0283CCFAh; ret 3_2_0283CCF2
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0285BB6C push 0285BD94h; ret 3_2_0285BD8C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283CB74 push 0283CCFAh; ret 3_2_0283CCF2
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02847894 push 02847911h; ret 3_2_02847909
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028468CE push 0284697Bh; ret 3_2_02846973
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028468D0 push 0284697Bh; ret 3_2_02846973
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02848916 push 02848950h; ret 3_2_02848948
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284A91F push 0284A958h; ret 3_2_0284A950
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02848918 push 02848950h; ret 3_2_02848948
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284A920 push 0284A958h; ret 3_2_0284A950
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283C94F push eax; iretd 3_2_0283C975
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02842EE8 push 02842F5Eh; ret 3_2_02842F56
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02845E04 push ecx; mov dword ptr [esp], edx3_2_02845E06
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02842FF4 push 02843041h; ret 3_2_02843039
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02842FF3 push 02843041h; ret 3_2_02843039
            Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_0284A95C
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Allocates many large memory junks
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2830000 memory commit 500006912
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2831000 memory commit 500178944
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 285C000 memory commit 500002816
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 285D000 memory commit 500199424
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 288E000 memory commit 501014528
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2986000 memory commit 500006912
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2988000 memory commit 500015104
            Source: C:\Users\user\AppData\Local\Temp\x.exeAPI coverage: 8.9 %
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_028358B4
            Source: x.exe, 00000003.00000002.4495581747.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
            Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_3-28632

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0284EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,3_2_0284EBF0
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028487A0 LoadLibraryW,GetProcAddress,FreeLibrary,3_2_028487A0
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_02835A78
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_0283A798
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_0283A74C
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_02835B84
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02839194 GetLocalTime,3_2_02839194
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0283B714 GetVersionExA,3_2_0283B714

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Valid Accounts            		1
            Native API            		1
            Valid Accounts            		1
            Valid Accounts            		1
            Valid Accounts            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Access Token Manipulation            		LSASS Memory311
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
            Process Injection            		1
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            System Network Connections Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials24
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            JIL-_Document_No._2500015903.cmd39%ReversingLabsWin32.Trojan.Malcab
            JIL-_Document_No._2500015903.cmd34%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\x.exe57%ReversingLabsWin32.Trojan.Nekark

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://programania.com/en.zip0%Avira URL Cloudsafe
            http://programania.com/index_ru.htm0%Avira URL Cloudsafe
            http://programania.com/en.htm0%Avira URL Cloudsafe
            http://programania.com/en_source.zip0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://programania.com/en.htmx.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://programania.com/en.zipx.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://programania.com/en_source.zipx.exe, 00000003.00000000.2032574356.0000000000483000.00000002.00000001.01000000.00000004.sdmp, x.exe, 00000003.00000003.2037165809.000000007F2F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.2039316097.000000007F55B000.00000004.00001000.00020000.00000000.sdmp, JIL-_Document_No._2500015903.cmd, x.exe.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://programania.com/index_ru.htmx.exe, 00000003.00000002.4508660114.000000002077C000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1580951
            Start date and time:2024-12-26 13:51:10 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 16s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:JIL-_Document_No._2500015903.cmd
            Detection:MAL
            Classification:mal80.troj.evad.winCMD@6/1@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 18
            • Number of non-executed functions: 40
            Cookbook Comments:
            • Found application associated with file extension: .cmd
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            07:52:00API Interceptor3131x Sleep call for process: x.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\x.exe

            Download File
            Process:C:\Windows\System32\extrac32.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1268224
            Entropy (8bit):7.390822558230329
            Encrypted:false
            SSDEEP:24576:ebRMhJO7IBx+T+jPrqkmifBnk7fUomfX4nOLWzpF:edSAu6PVABnk7fU1fX4nOLwF
            MD5:33DE1300C5879C8093B210EA96359783
            SHA1:B341B64CC942B9343C2E5974A84A9EB489BF5539
            SHA-256:FFBA3035B72B1DC986AE62EC6868B48D0E2AAC69C8216D1B27461D0FAF933FBC
            SHA-512:61043DDA9BE5D0147C9A5675EE02EF09C76DB3498AE4EEE26C0CEA314D4E362C695233E1AC62FA20085F76C824929270014EE2B7A0CC3B39E943810D7C756983
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 57%
            Reputation:low
            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........dw............@..............................................@...............................&...........................0.............................. ......................@................................text....].......^.................. ..`.itext.......p.......b.............. ..`.data............ ...j..............@....bss.....6...............................idata...&.......(..................@....tls....4................................rdata....... ......................@..@.reloc......0......................@..B.rsrc................<..............@..@.....................Z..............@..@................................................................................................

            Static File Info

            General

            File type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 39 datablocks, 0 compression
            Entropy (8bit):7.390263772618847
            TrID:
            • Microsoft Cabinet Archive (8008/1) 99.91%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
            File name:JIL-_Document_No._2500015903.cmd
            File size:1'268'675 bytes
            MD5:77be0aa379a1cae6efbaa06091238fc0
            SHA1:28e485a4e1de330f0750458b6d5b8841af2fd095
            SHA256:d7ab60ae836fe857b14fdc6e19147e60e8f74ede79562fa60b08cb5c3d4afd5f
            SHA512:c8d4c41808c3f0f9f5859c4cc45cebdb0162e47cae3742df128747bab6aa4ead4dfa5701949d93443a06fcaa781e35c7afe7a2009d6ad7dee1146854d03cbdec
            SSDEEP:24576:gbR0hl6fIBF+3SX7rSgyi3Bng7TUsGTX8j2fW3hh:gdGguKDNIBng7TUhTX8j2fsh
            TLSH:5D45C032A3A15D37D22E27765C07F3E96C18BE053AC56E0FBA851B0C8B2D940787BE55
            File Content Preview:MSCF............u.......................'.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".....Z............ .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

            File Icon

            Icon Hash:9686878b929a9886

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:07:51:59
            Start date:26/12/2024
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "
            Imagebase:0x7ff6f2e10000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:1
            Start time:07:51:59
            Start date:26/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6d64d0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:07:51:59
            Start date:26/12/2024
            Path:C:\Windows\System32\extrac32.exe
            Wow64 process (32bit):false
            Commandline:extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
            Imagebase:0x7ff7e79a0000
            File size:35'328 bytes
            MD5 hash:41330D97BF17D07CD4308264F3032547
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:3
            Start time:07:52:00
            Start date:26/12/2024
            Path:C:\Users\user\AppData\Local\Temp\x.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
            Imagebase:0x400000
            File size:1'268'224 bytes
            MD5 hash:33DE1300C5879C8093B210EA96359783
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000002.4495741338.0000000002276000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000002.4509288253.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 57%, ReversingLabs
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:5.9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:15.5%
              Total number of Nodes:251
              Total number of Limit Nodes:12
              execution_graph 25278 285bb44 25281 284ec74 25278->25281 25282 284ec7c 25281->25282 25282->25282 28495 284870c LoadLibraryW 25282->28495 25284 284ec9e 28500 2832ee0 QueryPerformanceCounter 25284->28500 25286 284eca3 25287 284ecad InetIsOffline 25286->25287 25288 284ecb7 25287->25288 25289 284ecc8 25287->25289 28512 2834500 25288->28512 25291 2834500 11 API calls 25289->25291 25292 284ecc6 25291->25292 28503 283480c 25292->28503 28518 28480c8 28495->28518 28497 2848745 28529 2847d00 28497->28529 28501 2832ef8 GetTickCount 28500->28501 28502 2832eed 28500->28502 28501->25286 28502->25286 28504 283481d 28503->28504 28505 2834843 28504->28505 28506 283485a 28504->28506 28507 2834b78 11 API calls 28505->28507 28508 2834570 11 API calls 28506->28508 28510 2834850 28507->28510 28508->28510 28509 283488b 28510->28509 28511 2834500 11 API calls 28510->28511 28511->28509 28513 2834504 28512->28513 28516 2834514 28512->28516 28515 2834570 11 API calls 28513->28515 28513->28516 28514 2834542 28514->25292 28515->28516 28516->28514 28603 2832c2c 11 API calls 28516->28603 28519 2834500 11 API calls 28518->28519 28520 28480ed 28519->28520 28543 2847914 28520->28543 28524 2848107 28525 284810f GetModuleHandleW GetProcAddress GetProcAddress 28524->28525 28526 2848142 28525->28526 28564 28344d0 28526->28564 28530 2834500 11 API calls 28529->28530 28531 2847d25 28530->28531 28532 2847914 12 API calls 28531->28532 28533 2847d32 28532->28533 28534 2834798 11 API calls 28533->28534 28535 2847d42 28534->28535 28592 2848020 28535->28592 28538 28480c8 15 API calls 28539 2847d5b NtWriteVirtualMemory 28538->28539 28540 2847d87 28539->28540 28541 28344d0 11 API calls 28540->28541 28542 2847d94 FreeLibrary 28541->28542 28542->25284 28544 2847925 28543->28544 28568 2834b78 28544->28568 28546 28479a1 28549 2834798 28546->28549 28547 2847935 28547->28546 28577 283ba44 CharNextA 28547->28577 28550 28347fd 28549->28550 28551 283479c 28549->28551 28552 2834500 28551->28552 28553 28347a4 28551->28553 28557 2834570 11 API calls 28552->28557 28559 2834514 28552->28559 28553->28550 28554 28347b3 28553->28554 28556 2834500 11 API calls 28553->28556 28558 2834570 11 API calls 28554->28558 28555 2834542 28555->28524 28556->28554 28557->28559 28561 28347cd 28558->28561 28559->28555 28590 2832c2c 11 API calls 28559->28590 28562 2834500 11 API calls 28561->28562 28563 28347f9 28562->28563 28563->28524 28566 28344d6 28564->28566 28565 28344fc 28565->28497 28566->28565 28591 2832c2c 11 API calls 28566->28591 28569 2834b85 28568->28569 28576 2834bb5 28568->28576 28570 2834bae 28569->28570 28572 2834b91 28569->28572 28579 2834570 28570->28579 28578 2832c44 11 API calls 28572->28578 28574 2834b9f 28574->28547 28584 28344ac 28576->28584 28577->28547 28578->28574 28580 2834574 28579->28580 28581 2834598 28579->28581 28588 2832c10 11 API calls 28580->28588 28581->28576 28583 2834581 28583->28576 28585 28344b2 28584->28585 28586 28344cd 28584->28586 28585->28586 28589 2832c2c 11 API calls 28585->28589 28586->28574 28588->28583 28589->28586 28590->28555 28591->28566 28593 2834500 11 API calls 28592->28593 28594 2848043 28593->28594 28595 2847914 12 API calls 28594->28595 28596 2848050 28595->28596 28597 2848058 GetModuleHandleA 28596->28597 28598 28480c8 15 API calls 28597->28598 28599 2848069 GetModuleHandleA 28598->28599 28600 2848087 28599->28600 28601 28344ac 11 API calls 28600->28601 28602 2847d55 28601->28602 28602->28538 28603->28514 28604 285c2fc 28614 2836518 28604->28614 28608 285c32a 28619 285bb50 timeSetEvent 28608->28619 28610 285c334 28611 285c342 GetMessageA 28610->28611 28612 285c336 TranslateMessage DispatchMessageA 28611->28612 28613 285c352 28611->28613 28612->28611 28615 2836523 28614->28615 28620 2834168 28615->28620 28618 283427c SysAllocStringLen SysFreeString SysReAllocStringLen 28618->28608 28619->28610 28621 28341ae 28620->28621 28622 2834227 28621->28622 28623 28343b8 28621->28623 28634 2834100 28622->28634 28626 28343e9 28623->28626 28629 28343fa 28623->28629 28639 283432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 28626->28639 28628 28343f3 28628->28629 28630 283443f FreeLibrary 28629->28630 28631 2834463 28629->28631 28630->28629 28632 2834472 ExitProcess 28631->28632 28633 283446c 28631->28633 28633->28632 28635 2834143 28634->28635 28636 2834110 28634->28636 28635->28618 28636->28635 28640 2835814 28636->28640 28644 28315cc 28636->28644 28639->28628 28641 2835824 GetModuleFileNameA 28640->28641 28642 2835840 28640->28642 28648 2835a78 GetModuleFileNameA RegOpenKeyExA 28641->28648 28642->28636 28667 2831560 28644->28667 28646 28315d4 VirtualAlloc 28647 28315eb 28646->28647 28647->28636 28649 2835afb 28648->28649 28650 2835abb RegOpenKeyExA 28648->28650 28666 28358b4 12 API calls 28649->28666 28650->28649 28651 2835ad9 RegOpenKeyExA 28650->28651 28651->28649 28653 2835b84 lstrcpynA GetThreadLocale GetLocaleInfoA 28651->28653 28657 2835c9e 28653->28657 28659 2835bbb 28653->28659 28654 2835b20 RegQueryValueExA 28655 2835b5e RegCloseKey 28654->28655 28656 2835b40 RegQueryValueExA 28654->28656 28655->28642 28656->28655 28657->28642 28659->28657 28660 2835bcb lstrlenA 28659->28660 28661 2835be3 28660->28661 28661->28657 28662 2835c30 28661->28662 28663 2835c08 lstrcpynA LoadLibraryExA 28661->28663 28662->28657 28664 2835c3a lstrcpynA LoadLibraryExA 28662->28664 28663->28662 28664->28657 28665 2835c6c lstrcpynA LoadLibraryExA 28664->28665 28665->28657 28666->28654 28668 2831500 28667->28668 28668->28646 28669 2834c48 28670 2834c6f 28669->28670 28671 2834c4c 28669->28671 28672 2834c0c 28671->28672 28673 2834c5f SysReAllocStringLen 28671->28673 28674 2834c12 SysFreeString 28672->28674 28675 2834c20 28672->28675 28673->28670 28676 2834bdc 28673->28676 28674->28675 28677 2834bf8 28676->28677 28678 2834be8 SysAllocStringLen 28676->28678 28678->28676 28678->28677 28679 2831c6c 28680 2831d04 28679->28680 28681 2831c7c 28679->28681 28682 2831d0d 28680->28682 28688 2831f58 28680->28688 28683 2831cc0 28681->28683 28684 2831c89 28681->28684 28685 2831d25 28682->28685 28701 2831e24 28682->28701 28686 2831724 10 API calls 28683->28686 28687 2831c94 28684->28687 28727 2831724 28684->28727 28691 2831d2c 28685->28691 28697 2831d48 28685->28697 28702 2831dfc 28685->28702 28709 2831cd7 28686->28709 28689 2831fec 28688->28689 28693 2831f68 28688->28693 28694 2831fac 28688->28694 28690 2831e7c 28696 2831724 10 API calls 28690->28696 28717 2831e95 28690->28717 28695 2831724 10 API calls 28693->28695 28699 2831fb2 28694->28699 28703 2831724 10 API calls 28694->28703 28716 2831f82 28695->28716 28713 2831f2c 28696->28713 28707 2831d79 Sleep 28697->28707 28719 2831d9c 28697->28719 28698 2831cfd 28700 2831cb9 28701->28690 28706 2831e55 Sleep 28701->28706 28701->28717 28704 2831724 10 API calls 28702->28704 28718 2831fc1 28703->28718 28721 2831e05 28704->28721 28705 2831fa7 28706->28690 28710 2831e6f Sleep 28706->28710 28711 2831d91 Sleep 28707->28711 28707->28719 28708 2831ca1 28708->28700 28751 2831a8c 28708->28751 28709->28698 28715 2831a8c 8 API calls 28709->28715 28710->28701 28711->28697 28713->28717 28720 2831a8c 8 API calls 28713->28720 28714 2831e1d 28715->28698 28716->28705 28722 2831a8c 8 API calls 28716->28722 28718->28705 28723 2831a8c 8 API calls 28718->28723 28724 2831f50 28720->28724 28721->28714 28725 2831a8c 8 API calls 28721->28725 28722->28705 28726 2831fe4 28723->28726 28725->28714 28728 2831968 28727->28728 28729 283173c 28727->28729 28730 2831938 28728->28730 28731 2831a80 28728->28731 28738 28317cb Sleep 28729->28738 28740 283174e 28729->28740 28737 2831947 Sleep 28730->28737 28745 2831986 28730->28745 28732 2831684 VirtualAlloc 28731->28732 28733 2831a89 28731->28733 28735 28316bf 28732->28735 28736 28316af 28732->28736 28733->28708 28734 283175d 28734->28708 28735->28708 28768 2831644 28736->28768 28742 283195d Sleep 28737->28742 28737->28745 28738->28740 28743 28317e4 Sleep 28738->28743 28740->28734 28741 283182c 28740->28741 28746 283180a Sleep 28740->28746 28749 28315cc VirtualAlloc 28741->28749 28750 2831838 28741->28750 28742->28730 28743->28729 28744 28319a4 28744->28708 28745->28744 28747 28315cc VirtualAlloc 28745->28747 28746->28741 28748 2831820 Sleep 28746->28748 28747->28744 28748->28740 28749->28750 28750->28708 28752 2831aa1 28751->28752 28753 2831b6c 28751->28753 28755 2831aa7 28752->28755 28759 2831b13 Sleep 28752->28759 28754 28316e8 28753->28754 28753->28755 28758 2831c66 28754->28758 28760 2831644 2 API calls 28754->28760 28756 2831b81 28755->28756 28757 2831ab0 28755->28757 28762 2831b4b Sleep 28755->28762 28766 2831c00 VirtualFree 28756->28766 28767 2831ba4 28756->28767 28757->28700 28758->28700 28759->28755 28761 2831b2d Sleep 28759->28761 28764 28316f5 VirtualFree 28760->28764 28761->28752 28762->28756 28763 2831b61 Sleep 28762->28763 28763->28755 28765 283170d 28764->28765 28765->28700 28766->28700 28767->28700 28769 2831681 28768->28769 28770 283164d 28768->28770 28769->28735 28770->28769 28771 283164f Sleep 28770->28771 28772 2831664 28771->28772 28772->28769 28773 2831668 Sleep 28772->28773 28773->28770

              Executed Functions

              Function 0284EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 284ec74-284ec77 1 284ec7c-284ec81 0->1 1->1 2 284ec83-284ecb5 call 284870c call 2832ee0 call 2832f08 InetIsOffline 1->2 9 284ecb7-284ecc6 call 2834500 2->9 10 284ecc8-284ecd2 call 2834500 2->10 14 284ecd7-284ef9a call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284eb94 9->14 10->14 115 284efa0-284efa7 call 284ebf0 14->115 116 285aa2a-285afa0 call 28344d0 * 5 call 2834c0c call 28344ac call 2834c0c call 28344d0 call 28344ac call 28344d0 * 2 call 2834c0c call 28344d0 * 2 call 28344ac call 28344d0 call 28344ac call 28344d0 * 2 call 2834c0c call 28344d0 call 2834c0c call 28344d0 * 4 call 2834c0c call 28344ac call 2834c0c call 28344d0 * 2 call 28344ac call 28344d0 call 2834c24 call 28344d0 call 2834c24 call 28344d0 call 2834c0c call 28344ac call 2834c0c call 28344d0 * 2 call 28344ac call 2834c0c call 28344ac call 2834c0c call 28344d0 call 2834c0c call 28344ac call 2834c0c call 28344d0 call 2834c0c call 28344ac call 2834c0c call 28344d0 call 2834c0c call 28344ac call 2834c0c call 28344d0 * 2 call 2834c0c call 28344ac call 2834c0c call 28344d0 * 2 call 28344ac call 28344d0 call 2835788 call 28344d0 call 28344ac call 28344d0 * 2 call 283e37c call 28344d0 call 2835e58 call 28344d0 * 4 call 2835788 call 28344d0 call 2835788 call 28344d0 call 2834c0c call 28344d0 call 2834c0c call 28344ac call 28344d0 call 28344ac call 28344d0 call 2835788 call 28344d0 call 2834c0c call 28344d0 * 4 call 28344ac call 28344d0 14->116 115->116 122 284efad-284f8ce call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2848954 call 283494c call 28346a4 call 284df38 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834798 call 2837e18 115->122 592 284f8d4-284f9c7 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 122->592 593 284f9e1-284faf4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284df38 call 2834500 122->593 649 284f9cc-284f9dc call 2834500 592->649 655 284faf9-284fc21 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283c2ec call 2834500 593->655 649->655 688 284fc23-284fc26 655->688 689 284fc28-284ffe9 call 28349ac call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284df38 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283494c call 28346a4 call 2837e18 655->689 688->689 800 284ffef-2850444 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834d8c call 284dbb0 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e08c call 28357c4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834500 call 284e014 689->800 801 28507ab-2850d83 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834d8c call 284dbb0 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e08c call 28357c4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834500 * 2 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e014 689->801 1055 2851f85-2852170 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 800->1055 1056 285044a-28507a6 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283494c call 2834d20 call 284dbb0 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 800->1056 801->1055 1187 2850d89-28512b8 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837a88 call 284e618 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e08c call 28357c4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 801->1187 1222 2852175-2852188 1055->1222 1056->1055 1539 28512c2-28514d0 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e2f8 1187->1539 1225 285218f-2852194 1222->1225 1226 285218a-285218d 1222->1226 1225->116 1229 285219a-2852a44 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837a88 call 284e618 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e5b4 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834734 call 284e08c call 28357c4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834500 * 13 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283494c call 28346a4 call 2837e3c 1225->1229 1226->1225 1781 2852a49-2852a4b 1229->1781 1659 28514d5-28514d7 1539->1659 1661 2851f72-2851f7f 1659->1661 1662 28514dd-28515e6 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e4b8 1659->1662 1661->1055 1661->1539 1662->1661 1724 28515ec-28517ee call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 CoInitialize call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2846d50 1662->1724 1869 28517f3-2851d50 call 2842820 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283e384 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283e384 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283e384 call 2841770 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 CoUninitialize call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 1724->1869 1783 2852be7-2852cf2 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 1781->1783 1784 2852a51-2852be2 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283494c call 28346a4 call 2837fd0 1781->1784 1870 2852cf4-2852cf7 1783->1870 1871 2852cf9-2852f11 call 28349ac call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 1783->1871 1784->1783 2279 2851d57-2851d5c 1869->2279 2280 2851d52-2851d55 1869->2280 1870->1871 2013 2852f17-2853359 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837e18 1871->2013 2014 2854c78-28554ca call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e1d8 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837a88 call 284e618 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e540 call 284e5b4 call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 1871->2014 2377 28533b6-2853a65 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 2834798 call 283494c call 2847b98 call 28487a0 call 283480c call 283494c call 2834798 call 283494c call 2847b98 call 28487a0 call 284870c call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837e18 2013->2377 2378 285335b-28533b1 call 284e198 call 2834d8c call 2834734 call 2834d8c call 284dacc 2013->2378 2659 28554d0-2855515 call 283480c call 283494c call 28346a4 call 2837e18 2014->2659 2660 2856cb8-2856f33 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 2014->2660 2279->1661 2283 2851d62-2851f6d call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284eb3c call 2834500 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 2279->2283 2280->2279 2283->1661 2904 2853a67-2853aa8 call 2834d8c * 2 call 2834734 call 284dacc 2377->2904 2905 2853aad-2853c74 call 284870c call 284e540 call 2834798 call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 2837e18 2377->2905 2378->2377 2659->2660 2686 285551b-2855c31 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834d8c * 2 call 2834734 call 284dacc 2659->2686 2880 2856f39-285758b call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834798 call 283494c call 2848410 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283494c call 28346a4 call 284ac38 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28336a0 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 2660->2880 2881 2857a68-2857c67 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 2660->2881 3577 2855c36-2855e35 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 2686->3577 3847 2857592-2857854 call 2845a74 call 2834b78 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28349a4 call 2847dd8 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284af58 2880->3847 3848 285758d-2857590 2880->3848 3122 2858af1-2858c74 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834898 2881->3122 3123 2857c6d-2857e40 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834798 call 283494c call 2834d20 call 2834d9c CreateProcessAsUserW 2881->3123 2904->2905 3146 2853c76-2853ccc call 284e198 call 2834d8c call 2834734 call 2834d8c call 284dacc 2905->3146 3147 2853cd1-28540ff call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 284e540 call 2834798 call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837e18 2905->3147 3360 2859420-285aa25 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 * 16 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 28346a4 * 2 call 2848824 call 2847b98 call 284818c call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 ExitProcess 3122->3360 3361 2858c7a-2858c89 call 2834898 3122->3361 3394 2857e42-2857eb9 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 3123->3394 3395 2857ebe-2857fc9 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 3123->3395 3146->3147 3877 2854147-2854590 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 2837e18 3147->3877 3878 2854101-2854142 call 2834d8c * 2 call 2834734 call 284dacc 3147->3878 3361->3360 3380 2858c8f-2858f62 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284e540 call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2837e18 3361->3380 3882 2858f68-2859215 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834d8c * 2 call 2834734 call 284dacc 3380->3882 3883 285921a-285941b call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28349a4 call 2848bb0 3380->3883 3394->3395 3581 2857fd0-28582f0 call 28349a4 call 284dc90 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284cfa4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 3395->3581 3582 2857fcb-2857fce 3395->3582 3949 2856099-28567bc call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 28336a0 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 2832f08 call 283794c call 2834798 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2832f08 call 283794c call 2834798 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 28336d0 3577->3949 3950 2855e3b-2856094 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 2834d20 call 2834d8c call 2834734 call 284dacc 3577->3950 4217 28582f2-2858304 call 2848584 3581->4217 4218 2858309-2858aec call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 ResumeThread call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 CloseHandle call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2847ed4 call 28487a0 * 6 CloseHandle call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 3581->4218 3582->3581 4488 2857859-2857870 call 28336d0 3847->4488 3848->3847 4674 2854592-28545e8 call 284e198 call 2834d8c call 2834734 call 2834d8c call 284dacc 3877->4674 4675 28545ed-2854846 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 283480c call 283494c call 28346a4 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 2837e18 3877->4675 3878->3877 3882->3883 3883->3360 3950->3949 4217->4218 4218->3122 4674->4675 4958 28548a3-2854c73 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 284870c call 283494c call 2848410 Sleep call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 283480c call 283494c call 28346a4 call 2834798 call 283494c call 28346a4 call 2848824 call 2834d20 call 284da44 call 2834d20 call 284da44 call 283480c call 283494c * 2 MoveFileA call 283480c call 283494c * 2 MoveFileA call 283494c call 2834d20 call 284da44 call 283494c call 2834d20 call 284da44 call 283494c call 2834d20 call 284da44 4675->4958 4959 2854848-285489e call 284e198 call 2834d8c call 2834734 call 2834d8c call 284dacc 4675->4959 4958->2014 4959->4958
              APIs
              • InetIsOffline.URL(00000000,00000000,0285AFA1,?,?,?,000002F7,00000000,00000000), ref: 0284ECAE
                • Part of subcall function 02848824: LoadLibraryA.KERNEL32(00000000,00000000,0284890B), ref: 02848858
                • Part of subcall function 02848824: FreeLibrary.KERNEL32(74AD0000,00000000,02891388,Function_000065D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,74AD0000,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB
                • Part of subcall function 0284EB94: GetModuleHandleW.KERNEL32(KernelBase,?,0284EF98,UacInitialize,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanBuffer,0289137C,0285AFD8,ScanString,0289137C,0285AFD8,Initialize), ref: 0284EB9A
                • Part of subcall function 0284EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0284EBAC
                • Part of subcall function 0284EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 0284EC00
                • Part of subcall function 0284EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0284EC12
                • Part of subcall function 0284EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0284EC29
                • Part of subcall function 02837E18: GetFileAttributesA.KERNEL32(00000000,?,0284F8CC,ScanString,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanString,0289137C,0285AFD8,UacScan,0289137C,0285AFD8,UacInitialize), ref: 02837E23
                • Part of subcall function 0283C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029858C8,?,0284FBFE,ScanBuffer,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanBuffer,0289137C,0285AFD8,OpenSession), ref: 0283C303
                • Part of subcall function 0284DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DC80), ref: 0284DBEB
                • Part of subcall function 0284DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0284DC80), ref: 0284DC1B
                • Part of subcall function 0284DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0284DC30
                • Part of subcall function 0284DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0284DC5C
                • Part of subcall function 0284DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0284DC65
                • Part of subcall function 02837E3C: GetFileAttributesA.KERNEL32(00000000,?,02852A49,ScanString,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanBuffer,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,Initialize), ref: 02837E47
                • Part of subcall function 02837FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02852BE7,OpenSession,0289137C,0285AFD8,ScanString,0289137C,0285AFD8,Initialize,0289137C,0285AFD8,ScanString,0289137C,0285AFD8), ref: 02837FDD
                • Part of subcall function 0284DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DB9E), ref: 0284DB0B
                • Part of subcall function 0284DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0284DB45
                • Part of subcall function 0284DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0284DB72
                • Part of subcall function 0284DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0284DB7B
                • Part of subcall function 028487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize,028913A4,0284A77C,UacScan), ref: 028487B4
                • Part of subcall function 028487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487CE
                • Part of subcall function 028487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A
                • Part of subcall function 0284870C: LoadLibraryW.KERNEL32(amsi), ref: 02848715
                • Part of subcall function 0284870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02848774
              • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanBuffer,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,0285B330), ref: 028549B7
                • Part of subcall function 0284DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 0284DA6C
                • Part of subcall function 0284DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DABE), ref: 0284DA82
                • Part of subcall function 0284DA44: NtDeleteFile.NTDLL(?), ref: 0284DAA1
              • MoveFileA.KERNEL32(00000000,00000000), ref: 02854BB7
              • MoveFileA.KERNEL32(00000000,00000000), ref: 02854C0D
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
              • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
              • API String ID: 3130226682-181751239
              • Opcode ID: eb1c9c39924d5b07cb75f395a29532b925ba45991730a68788319c7064fb2bf4
              • Instruction ID: 5d0957b26d2730d59a73afddff7d6d1c56fcfc53b6d6afe77e6ab5c56041da3d
              • Opcode Fuzzy Hash: eb1c9c39924d5b07cb75f395a29532b925ba45991730a68788319c7064fb2bf4
              • Instruction Fuzzy Hash: A7242E7DA101688FDB16EB68DC80ADE73B6FF85310F5041E2E409E7754DA70AE858F92
              Function 02835A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5547 2835a78-2835ab9 GetModuleFileNameA RegOpenKeyExA 5548 2835afb-2835b3e call 28358b4 RegQueryValueExA 5547->5548 5549 2835abb-2835ad7 RegOpenKeyExA 5547->5549 5554 2835b62-2835b7c RegCloseKey 5548->5554 5555 2835b40-2835b5c RegQueryValueExA 5548->5555 5549->5548 5550 2835ad9-2835af5 RegOpenKeyExA 5549->5550 5550->5548 5552 2835b84-2835bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 5550->5552 5556 2835bbb-2835bbf 5552->5556 5557 2835c9e-2835ca5 5552->5557 5555->5554 5558 2835b5e 5555->5558 5560 2835bc1-2835bc5 5556->5560 5561 2835bcb-2835be1 lstrlenA 5556->5561 5558->5554 5560->5557 5560->5561 5562 2835be4-2835be7 5561->5562 5563 2835bf3-2835bfb 5562->5563 5564 2835be9-2835bf1 5562->5564 5563->5557 5566 2835c01-2835c06 5563->5566 5564->5563 5565 2835be3 5564->5565 5565->5562 5567 2835c30-2835c32 5566->5567 5568 2835c08-2835c2e lstrcpynA LoadLibraryExA 5566->5568 5567->5557 5569 2835c34-2835c38 5567->5569 5568->5567 5569->5557 5570 2835c3a-2835c6a lstrcpynA LoadLibraryExA 5569->5570 5570->5557 5571 2835c6c-2835c9c lstrcpynA LoadLibraryExA 5570->5571 5571->5557
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02830000,0285D790), ref: 02835A94
              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285D790), ref: 02835AB2
              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285D790), ref: 02835AD0
              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
              • RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001), ref: 02835B55
              • RegCloseKey.ADVAPI32(?,02835B84,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77
              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02835B94
              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02835BA1
              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02835BA7
              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02835BD2
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C19
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C29
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C51
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C61
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02835C87
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02835C97
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 1759228003-2375825460
              • Opcode ID: 3bfd785e2916d0cc76f0bff8e5b4182da16f6d25390cc79155fe9beef331913f
              • Instruction ID: 7d31e59b48b37cb6463214799bd9763412aac47acce82f12393674953d37a350
              • Opcode Fuzzy Hash: 3bfd785e2916d0cc76f0bff8e5b4182da16f6d25390cc79155fe9beef331913f
              • Instruction Fuzzy Hash: 77519C7DA4024C7EFB22D6A8CC46FEF77BD9B08744F8005A1A608E6181D7789A44CFE5
              Function 0284EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5647 284ebf0-284ec0a GetModuleHandleW 5648 284ec36-284ec3e 5647->5648 5649 284ec0c-284ec1e GetProcAddress 5647->5649 5649->5648 5650 284ec20-284ec30 CheckRemoteDebuggerPresent 5649->5650 5650->5648 5651 284ec32 5650->5651 5651->5648
              APIs
              • GetModuleHandleW.KERNEL32(KernelBase), ref: 0284EC00
              • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0284EC12
              • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0284EC29
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
              • String ID: CheckRemoteDebuggerPresent$KernelBase
              • API String ID: 35162468-539270669
              • Opcode ID: 6434a407fed6a159718683cf69967ce1dd0673d6f65734b8609a76727851ba29
              • Instruction ID: b5d655d947dc35719f00eaf550d3d688fbc9cc3a315bc71236421a312581208b
              • Opcode Fuzzy Hash: 6434a407fed6a159718683cf69967ce1dd0673d6f65734b8609a76727851ba29
              • Instruction Fuzzy Hash: BFF0A77C90425CBBFB22A7AC88897DCFBA96B05328F640795D424E11D1FB7507448696
              Function 0284DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA
              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DC80), ref: 0284DBEB
              • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0284DC80), ref: 0284DC1B
              • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0284DC30
              • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0284DC5C
              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0284DC65
                • Part of subcall function 02834C0C: SysFreeString.OLEAUT32(0284E950), ref: 02834C1A
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
              • String ID:
              • API String ID: 2659941336-0
              • Opcode ID: f03a9ca3f205a1be799e975a49b9829e50ebd2c11e83456245273f17a949c896
              • Instruction ID: dd9477f70990ff44816c6493ac3991e1d69eb6f1d366ca4eb69ac9a0ad35b87c
              • Opcode Fuzzy Hash: f03a9ca3f205a1be799e975a49b9829e50ebd2c11e83456245273f17a949c896
              • Instruction Fuzzy Hash: A621C47965070C7BEB11EAD8CC46FDE77BDAB48700F504461B600F71C1DAB4AA058BA6
              Function 0284E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0284E436
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: CheckConnectionInternet
              • String ID: Initialize$OpenSession$ScanBuffer
              • API String ID: 3847983778-3852638603
              • Opcode ID: 77853a84f55d94af7aa8ccc9d9859b345ba7f26bae702b004c1f03fb9f007d27
              • Instruction ID: 5754f08fcdb994873dc5907f713fe3f7f0bb5fd6d6c28c04e6c1a9c1bf57c058
              • Opcode Fuzzy Hash: 77853a84f55d94af7aa8ccc9d9859b345ba7f26bae702b004c1f03fb9f007d27
              • Instruction Fuzzy Hash: C741117DA1050C9BEB11EBA8CC80A9EB3FAFF4C310F518425E441E7351DA74AD058FA1
              Function 02847D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 02848020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848090,?,?,00000000,?,02847A06,ntdll,00000000,00000000,02847A4B,?,?,00000000), ref: 0284805E
                • Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072
                • Part of subcall function 028480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848150,?,?,00000000,00000000,?,02848069,00000000,KernelBASE,00000000,00000000,02848090), ref: 02848115
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D
              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: HandleModule$AddressProc$MemoryVirtualWrite
              • String ID: Ntdll$yromeMlautriVetirW
              • API String ID: 2719805696-3542721025
              • Opcode ID: 58a6eb10db1e33b46773845bcab31846b52e8804dff08b3eb3eefc9125e0aa57
              • Instruction ID: 0ffbffa57aeb00e1d80ad292f15d41d5d258b381741b3c444da00c0290133f2f
              • Opcode Fuzzy Hash: 58a6eb10db1e33b46773845bcab31846b52e8804dff08b3eb3eefc9125e0aa57
              • Instruction Fuzzy Hash: C001697D614208AFEB00EFA8DC45FAEB7FDEB48700F514860B508D7680CB74B9148B61
              Function 02831724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5572 2831724-2831736 5573 2831968-283196d 5572->5573 5574 283173c-283174c 5572->5574 5575 2831973-2831984 5573->5575 5576 2831a80-2831a83 5573->5576 5577 28317a4-28317ad 5574->5577 5578 283174e-283175b 5574->5578 5579 2831986-28319a2 5575->5579 5580 2831938-2831945 5575->5580 5582 2831684-28316ad VirtualAlloc 5576->5582 5583 2831a89-2831a8b 5576->5583 5577->5578 5581 28317af-28317bb 5577->5581 5584 2831774-2831780 5578->5584 5585 283175d-283176a 5578->5585 5586 28319b0-28319bf 5579->5586 5587 28319a4-28319ac 5579->5587 5580->5579 5591 2831947-283195b Sleep 5580->5591 5581->5578 5588 28317bd-28317c9 5581->5588 5589 28316df-28316e5 5582->5589 5590 28316af-28316dc call 2831644 5582->5590 5594 2831782-2831790 5584->5594 5595 28317f0-28317f9 5584->5595 5592 2831794-28317a1 5585->5592 5593 283176c-2831770 5585->5593 5597 28319c1-28319d5 5586->5597 5598 28319d8-28319e0 5586->5598 5596 2831a0c-2831a22 5587->5596 5588->5578 5599 28317cb-28317de Sleep 5588->5599 5590->5589 5591->5579 5603 283195d-2831964 Sleep 5591->5603 5601 28317fb-2831808 5595->5601 5602 283182c-2831836 5595->5602 5609 2831a24-2831a32 5596->5609 5610 2831a3b-2831a47 5596->5610 5597->5596 5605 28319e2-28319fa 5598->5605 5606 28319fc-28319fe call 28315cc 5598->5606 5599->5578 5604 28317e4-28317eb Sleep 5599->5604 5601->5602 5608 283180a-283181e Sleep 5601->5608 5611 28318a8-28318b4 5602->5611 5612 2831838-2831863 5602->5612 5603->5580 5604->5577 5615 2831a03-2831a0b 5605->5615 5606->5615 5608->5602 5617 2831820-2831827 Sleep 5608->5617 5609->5610 5618 2831a34 5609->5618 5621 2831a49-2831a5c 5610->5621 5622 2831a68 5610->5622 5613 28318b6-28318c8 5611->5613 5614 28318dc-28318eb call 28315cc 5611->5614 5619 2831865-2831873 5612->5619 5620 283187c-283188a 5612->5620 5624 28318ca 5613->5624 5625 28318cc-28318da 5613->5625 5633 28318fd-2831936 5614->5633 5637 28318ed-28318f7 5614->5637 5617->5601 5618->5610 5619->5620 5627 2831875 5619->5627 5628 28318f8 5620->5628 5629 283188c-28318a6 call 2831500 5620->5629 5623 2831a6d-2831a7f 5621->5623 5630 2831a5e-2831a63 call 2831500 5621->5630 5622->5623 5624->5625 5625->5633 5627->5620 5628->5633 5629->5633 5630->5623
              APIs
              • Sleep.KERNEL32(00000000), ref: 028317D0
              • Sleep.KERNEL32(0000000A,00000000), ref: 028317E6
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 293be3c4917d4ebd9e6d54305860c06074fa1520f1899d1fa011594462618646
              • Instruction ID: 18cb05a490d35cdcc69599f16b7ecb96da6855ccb1aa9f1b244b95edbd3ece11
              • Opcode Fuzzy Hash: 293be3c4917d4ebd9e6d54305860c06074fa1520f1899d1fa011594462618646
              • Instruction Fuzzy Hash: 88B1127EA003508BEB16CF2CD888365BBE1EB85725F1886A9E54ECB3C5D7709461CBD0
              Function 0284870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • LoadLibraryW.KERNEL32(amsi), ref: 02848715
                • Part of subcall function 028480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848150,?,?,00000000,00000000,?,02848069,00000000,KernelBASE,00000000,00000000,02848090), ref: 02848115
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D
                • Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74
              • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02848774
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
              • String ID: DllGetClassObject$W$amsi
              • API String ID: 941070894-2671292670
              • Opcode ID: 78777b6b0dbf721b0ed9470f19e77baa356d7707702c07003713f6a54067abed
              • Instruction ID: e41cd5f0d7560eef3902020fa422f8c68fc207b2451fdd2d64ab7080c339f4d7
              • Opcode Fuzzy Hash: 78777b6b0dbf721b0ed9470f19e77baa356d7707702c07003713f6a54067abed
              • Instruction Fuzzy Hash: DDF0A45910C385BAE201E67C8C45F4FBECD4B52224F048A5CF1E8D62D2EA79D1048BB7
              Function 02831A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5652 2831a8c-2831a9b 5653 2831aa1-2831aa5 5652->5653 5654 2831b6c-2831b6f 5652->5654 5657 2831aa7-2831aae 5653->5657 5658 2831b08-2831b11 5653->5658 5655 2831b75-2831b7f 5654->5655 5656 2831c5c-2831c60 5654->5656 5659 2831b81-2831b8d 5655->5659 5660 2831b3c-2831b49 5655->5660 5663 2831c66-2831c6b 5656->5663 5664 28316e8-283170b call 2831644 VirtualFree 5656->5664 5661 2831ab0-2831abb 5657->5661 5662 2831adc-2831ade 5657->5662 5658->5657 5665 2831b13-2831b27 Sleep 5658->5665 5666 2831bc4-2831bd2 5659->5666 5667 2831b8f-2831b92 5659->5667 5660->5659 5674 2831b4b-2831b5f Sleep 5660->5674 5668 2831ac4-2831ad9 5661->5668 5669 2831abd-2831ac2 5661->5669 5670 2831af3 5662->5670 5671 2831ae0-2831af1 5662->5671 5683 2831716 5664->5683 5684 283170d-2831714 5664->5684 5665->5657 5673 2831b2d-2831b38 Sleep 5665->5673 5676 2831b96-2831b9a 5666->5676 5678 2831bd4-2831bd9 call 28314c0 5666->5678 5667->5676 5677 2831af6-2831b03 5670->5677 5671->5670 5671->5677 5673->5658 5674->5659 5675 2831b61-2831b68 Sleep 5674->5675 5675->5660 5680 2831bdc-2831be9 5676->5680 5681 2831b9c-2831ba2 5676->5681 5677->5655 5678->5676 5680->5681 5689 2831beb-2831bf2 call 28314c0 5680->5689 5686 2831bf4-2831bfe 5681->5686 5687 2831ba4-2831bc2 call 2831500 5681->5687 5685 2831719-2831723 5683->5685 5684->5685 5691 2831c00-2831c28 VirtualFree 5686->5691 5692 2831c2c-2831c59 call 2831560 5686->5692 5689->5681
              APIs
              • Sleep.KERNEL32(00000000,?,?,00000000,02831FE4), ref: 02831B17
              • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02831FE4), ref: 02831B31
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: a79d36d3f189bb74f14f7fe9cec1e524c7e994500fc1efdbc855d365cd8baac0
              • Instruction ID: 37e4e6f5cf69df2e32d5d8066478905b984376524a673734ed7056494c1a2d4a
              • Opcode Fuzzy Hash: a79d36d3f189bb74f14f7fe9cec1e524c7e994500fc1efdbc855d365cd8baac0
              • Instruction Fuzzy Hash: F351C07D6012408FEB16DF6CC988796BBD0AB45B18F1885AEE54DCB2C2E770D445CBE1
              Function 0284E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0284E436
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: CheckConnectionInternet
              • String ID: Initialize$OpenSession$ScanBuffer
              • API String ID: 3847983778-3852638603
              • Opcode ID: e100c454f6c4da9aea3d3ce3208b4838e9cae06fccfc6c4c03effe36bc8403e0
              • Instruction ID: 1bad9471d987cc91d248d64feb7794df55d03cb0912a7a5d22344d67c26a8960
              • Opcode Fuzzy Hash: e100c454f6c4da9aea3d3ce3208b4838e9cae06fccfc6c4c03effe36bc8403e0
              • Instruction Fuzzy Hash: 85410F7DB1050C9BEB11EBA8CC80A9EB3FAFF4C310F518425E441E7251DA74AD058FA1
              Function 02848824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • LoadLibraryA.KERNEL32(00000000,00000000,0284890B), ref: 02848858
                • Part of subcall function 02848020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848090,?,?,00000000,?,02847A06,ntdll,00000000,00000000,02847A4B,?,?,00000000), ref: 0284805E
                • Part of subcall function 02848020: GetModuleHandleA.KERNELBASE(?), ref: 02848072
                • Part of subcall function 028480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848150,?,?,00000000,00000000,?,02848069,00000000,KernelBASE,00000000,00000000,02848090), ref: 02848115
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D
                • Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74
              • FreeLibrary.KERNEL32(74AD0000,00000000,02891388,Function_000065D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,74AD0000,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
              • String ID:
              • API String ID: 3283153180-0
              • Opcode ID: 4c5d282190d38e13b97ecce1d227271112eddd01a60720c6597f348031ebefdb
              • Instruction ID: 0de14735a23cfcc9c0e23d40dc5ea62c11ead13dd9d518b4bbb52eeea46c9dcf
              • Opcode Fuzzy Hash: 4c5d282190d38e13b97ecce1d227271112eddd01a60720c6597f348031ebefdb
              • Instruction Fuzzy Hash: 5C11847CA44308ABEF02FBBCDC05A5E77B9DB45700F4405A4B608E3B90DE789D006B96
              Function 02835814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5859 2835814-2835822 5860 2835824-283583b GetModuleFileNameA call 2835a78 5859->5860 5861 283584f-283585a 5859->5861 5863 2835840-2835847 5860->5863 5863->5861 5864 2835849-283584c 5863->5864 5864->5861
              APIs
              • GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 02835832
                • Part of subcall function 02835A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02830000,0285D790), ref: 02835A94
                • Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285D790), ref: 02835AB2
                • Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285D790), ref: 02835AD0
                • Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
                • Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
                • Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001), ref: 02835B55
                • Part of subcall function 02835A78: RegCloseKey.ADVAPI32(?,02835B84,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Open$FileModuleNameQueryValue$Close
              • String ID:
              • API String ID: 2796650324-0
              • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
              • Instruction ID: 1e80a3bbc37518111bc2fc1a877ffae3138f4f0fc0566828a07790ec136ca274
              • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
              • Instruction Fuzzy Hash: BFE06DB9A002148BCB11DE5CC8C0A9737D8AB08B50F400565EC58DF34AD3B4D9208BD1
              Function 02837E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5878 2837e18-2837e2b call 283494c GetFileAttributesA 5881 2837e31-2837e34 5878->5881 5882 2837e2d-2837e2f 5878->5882 5882->5881 5883 2837e35-2837e38 5882->5883
              APIs
              • GetFileAttributesA.KERNEL32(00000000,?,0284F8CC,ScanString,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanString,0289137C,0285AFD8,UacScan,0289137C,0285AFD8,UacInitialize), ref: 02837E23
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
              • Instruction ID: cfb782bd67077159204d450892f9d0333b5072370ea9b2679e4fa45362344c23
              • Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
              • Instruction Fuzzy Hash: 03C08CEE2122000A6E52A1FC0CC400A43C809042393A40B35B43CCA3E2E321C82224D1
              Function 02834C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5865 2834c48-2834c4a 5866 2834c6f 5865->5866 5867 2834c4c-2834c4e 5865->5867 5868 2834c54-2834c59 5867->5868 5869 2834c0c-2834c10 5867->5869 5868->5869 5870 2834c5f-2834c69 SysReAllocStringLen 5868->5870 5871 2834c12-2834c1f SysFreeString 5869->5871 5872 2834c20 5869->5872 5870->5866 5873 2834bdc-2834be6 5870->5873 5871->5872 5876 2834bf8 5873->5876 5877 2834be8-2834bf2 SysAllocStringLen 5873->5877 5877->5873 5877->5876
              APIs
              • SysFreeString.OLEAUT32(0284E950), ref: 02834C1A
              • SysReAllocStringLen.OLEAUT32(0285BE78,0284E950,000000B4), ref: 02834C62
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: String$AllocFree
              • String ID:
              • API String ID: 344208780-0
              • Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
              • Instruction ID: 9eb8f0d25c0c72e60c123b2d12f4de6d0a40da9955d506ed0d59a11c91ee340b
              • Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
              • Instruction Fuzzy Hash: EBD0807C5001055DBF2FDD994544937736AA9D130A34CC25DDC0ECA241EB75DC02CAF1
              Function 0285BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5884 285bb50-285bb6b timeSetEvent
              APIs
              • timeSetEvent.WINMM(00002710,00000000,0285BB44,00000000,00000001), ref: 0285BB60
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Eventtime
              • String ID:
              • API String ID: 2982266575-0
              • Opcode ID: d0786b8aa167220f8148ae0891bd2fa4cae93bf8a9ef91ff338820754565d543
              • Instruction ID: 4920326fd9e4a406738685cab30795b5aae8827dee937b100c042cef04aa5f9a
              • Opcode Fuzzy Hash: d0786b8aa167220f8148ae0891bd2fa4cae93bf8a9ef91ff338820754565d543
              • Instruction Fuzzy Hash: CDC092FC7843003EF62166AC2CC2F33718EE304B14F610412BB00FE2D5E5E24C640A66
              Function 028315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02831A03), ref: 028315E2
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: d7c37834b332fe24c529cd60f2c579932d766010faa033ce643307ae5a5d759e
              • Instruction ID: 164611721756ad31bc683afde7847e9353e24fbb0b2632857d1a34c1d1d9224f
              • Opcode Fuzzy Hash: d7c37834b332fe24c529cd60f2c579932d766010faa033ce643307ae5a5d759e
              • Instruction Fuzzy Hash: 70F037F8B413005BEB06EF7D9D483016AD2E789344F108579E709DB2D8E77194018B40
              Function 02831682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 028316A4
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 2a669a7bab91db20cb42b3a2af6935233a7b8fda59e4b257e86bb6dad1c1a824
              • Instruction ID: 2683693517bd6c29818727cd30ad420e8f9fd2257c7fa33b699c0402b5ee3d17
              • Opcode Fuzzy Hash: 2a669a7bab91db20cb42b3a2af6935233a7b8fda59e4b257e86bb6dad1c1a824
              • Instruction Fuzzy Hash: 71F0FABAB047947BD7118E8A9C80B82BB94FB40720F080139EA4CDB380D7B2A8108BD4
              Function 028316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
              Download Yara Rule
              APIs
              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02831FE4), ref: 02831704
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: FreeVirtual
              • String ID:
              • API String ID: 1263568516-0
              • Opcode ID: 1b4a79e062a67ee305261807369070bfc78e82772414bcdf9108a829f197f413
              • Instruction ID: 9b2ec0fff5e90318257e011d65e88eb1ec2934501aeb2a7c3076e3d9d5c761c5
              • Opcode Fuzzy Hash: 1b4a79e062a67ee305261807369070bfc78e82772414bcdf9108a829f197f413
              • Instruction Fuzzy Hash: B7E0CD7D3003016FD7115B7D5D88712BBDCEB44B64F184875F549DB281D760E8108BA0

              Non-executed Functions

              Function 0284A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0284ABE3,?,?,0284AC75,00000000,0284AD51), ref: 0284A970
              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0284A988
              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0284A99A
              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0284A9AC
              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0284A9BE
              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0284A9D0
              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0284A9E2
              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0284A9F4
              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0284AA06
              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0284AA18
              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0284AA2A
              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0284AA3C
              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0284AA4E
              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0284AA60
              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0284AA72
              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0284AA84
              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0284AA96
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressProc$HandleModule
              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
              • API String ID: 667068680-597814768
              • Opcode ID: 632c6cedb2bc90c3a54ed25567275a10500eb14a874b0042f221d70a7b0d06b7
              • Instruction ID: 924bf188d36181a2051cd2086be4c1661560543544b0814953a9ef2773e9b565
              • Opcode Fuzzy Hash: 632c6cedb2bc90c3a54ed25567275a10500eb14a874b0042f221d70a7b0d06b7
              • Instruction Fuzzy Hash: 8131E1BCAC4735AFFB06DFBCD8D8A1637A9AB057407050965A006CF245FB789810CF96
              Function 02848BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 02848824: LoadLibraryA.KERNEL32(00000000,00000000,0284890B), ref: 02848858
                • Part of subcall function 02848824: FreeLibrary.KERNEL32(74AD0000,00000000,02891388,Function_000065D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,74AD0000,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB
              • GetThreadContext.KERNEL32(00000000,02891420,ScanString,028913A4,0284A77C,UacInitialize,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,UacInitialize,028913A4), ref: 02849442
                • Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74
              • SetThreadContext.KERNEL32(00000000,02891420,ScanBuffer,028913A4,0284A77C,ScanString,028913A4,0284A77C,Initialize,028913A4,0284A77C,00000000,-00000008,028914F8,00000004,028914FC), ref: 0284A157
              • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02891420,ScanBuffer,028913A4,0284A77C,ScanString,028913A4,0284A77C,Initialize,028913A4,0284A77C,00000000,-00000008,028914F8), ref: 0284A164
                • Part of subcall function 028487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize,028913A4,0284A77C,UacScan), ref: 028487B4
                • Part of subcall function 028487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487CE
                • Part of subcall function 028487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Library$Thread$ContextFreeLoad$AddressMemoryProcResumeVirtualWrite
              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
              • API String ID: 3455621253-51457883
              • Opcode ID: 0a6d1acadb767cbab300e5246538de260925b861507ec87986583d8da0fbc468
              • Instruction ID: 8e7170226f045b3995d43ffce67947eedc9d119ea749bd4db5325024d5e5ae18
              • Opcode Fuzzy Hash: 0a6d1acadb767cbab300e5246538de260925b861507ec87986583d8da0fbc468
              • Instruction Fuzzy Hash: 69E21E7CA5011C9BEB16EB68CC90EDE73BAEF49310F1040A1E549EB315DE74AE458F92
              Function 02848BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 02848824: LoadLibraryA.KERNEL32(00000000,00000000,0284890B), ref: 02848858
                • Part of subcall function 02848824: FreeLibrary.KERNEL32(74AD0000,00000000,02891388,Function_000065D8,00000004,02891398,02891388,05F5E0FF,00000040,0289139C,74AD0000,00000000,00000000,00000000,00000000,0284890B), ref: 028488EB
              • GetThreadContext.KERNEL32(00000000,02891420,ScanString,028913A4,0284A77C,UacInitialize,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,UacInitialize,028913A4), ref: 02849442
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Library$ContextFreeLoadThread
              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
              • API String ID: 720575881-51457883
              • Opcode ID: bc3aba5d95966dc4d9ae5baf9b0b6b1760239ee6f1da9a7135e923f8a5924dc5
              • Instruction ID: 030bc8779b19bf47991997729b795857eefe64e22657f984641f0f1129a4ce32
              • Opcode Fuzzy Hash: bc3aba5d95966dc4d9ae5baf9b0b6b1760239ee6f1da9a7135e923f8a5924dc5
              • Instruction Fuzzy Hash: 67E21D7CA5011C9BEB16EB68CC90EDE73BAEF49310F1040A1E549EB315DE74AE458F92
              Function 028358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(kernel32.dll,02836BD0,02830000,0285D790), ref: 028358D1
              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028358E8
              • lstrcpynA.KERNEL32(?,?,?), ref: 02835918
              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02836BD0,02830000,0285D790), ref: 0283597C
              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02836BD0,02830000,0285D790), ref: 028359B2
              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02836BD0,02830000,0285D790), ref: 028359C5
              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BD0,02830000,0285D790), ref: 028359D7
              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BD0,02830000,0285D790), ref: 028359E3
              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BD0,02830000), ref: 02835A17
              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BD0), ref: 02835A23
              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02835A45
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
              • String ID: GetLongPathNameA$\$kernel32.dll
              • API String ID: 3245196872-1565342463
              • Opcode ID: 20ad37e2dbd9a3ff8bb3c1239f3378d64f7da3c2bd0328ea6728ccfc9bc961a5
              • Instruction ID: 5f0444033f0d6f84729ad0c1e8e34a4898fa5da764bb589bd3a6c8b594ade00d
              • Opcode Fuzzy Hash: 20ad37e2dbd9a3ff8bb3c1239f3378d64f7da3c2bd0328ea6728ccfc9bc961a5
              • Instruction Fuzzy Hash: 3C417F7DD00259AFDB12DAE8CC88ADEB3BEAF08310F4449A5E548E7241D7789B448F90
              Function 02835B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
              Download Yara Rule
              APIs
              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02835B94
              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02835BA1
              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02835BA7
              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02835BD2
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C19
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C29
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C51
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C61
              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02835C87
              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02835C97
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
              • API String ID: 1599918012-2375825460
              • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
              • Instruction ID: 5efa9141af3549a2ba4bd5d42b49473f5464057f95c0b49fe51c84800509317d
              • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
              • Instruction Fuzzy Hash: 1B31C77DE4021C6AFB27D6B89C49FDFB7AD5B04784F4405E19608E6080DB789E448FD1
              Function 028487A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize,028913A4,0284A77C,UacScan), ref: 028487B4
              • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487CE
              • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,028913A4,0284A3C7,ScanString,028913A4,0284A77C,ScanBuffer,028913A4,0284A77C,Initialize), ref: 0284880A
                • Part of subcall function 02847D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D74
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
              • String ID: BCryptVerifySignature$bcrypt
              • API String ID: 1002360270-4067648912
              • Opcode ID: 4bd9b00bda0c10be10f1f07fb2dfc6a066d8b8e124ae901a63252ff564952ce0
              • Instruction ID: bfb5027b3d0790b112a68cba289ee43bcb7d34a32836ae4e4ebfa646c17d216d
              • Opcode Fuzzy Hash: 4bd9b00bda0c10be10f1f07fb2dfc6a066d8b8e124ae901a63252ff564952ce0
              • Instruction Fuzzy Hash: 4FF0817DA88219EBEB119A6CA84CB7633BC9741358F0C0929B10CC76C0E7781410AB50
              Function 0284DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA
              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DB9E), ref: 0284DB0B
              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0284DB45
              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0284DB72
              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0284DB7B
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: File$AllocCloseCreateStringWrite
              • String ID:
              • API String ID: 3308905243-0
              • Opcode ID: ef78dc56a37a7b5ea296fc6bf1e8470dcedf3b088f6fcf699a73ae194ed3361a
              • Instruction ID: 51ee3cd47ac09682cd62ef804454aef7264397822d3a29f8580268f03788961c
              • Opcode Fuzzy Hash: ef78dc56a37a7b5ea296fc6bf1e8470dcedf3b088f6fcf699a73ae194ed3361a
              • Instruction Fuzzy Hash: AC21C179A4030CBBEB11EAE8CD46F9EB7BDEB04B14F504461B604F71D0DBB46E048A96
              Function 0284D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
              Download Yara Rule
              APIs
              • RtlInitUnicodeString.NTDLL(?,?), ref: 0284DA6C
              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DABE), ref: 0284DA82
              • NtDeleteFile.NTDLL(?), ref: 0284DAA1
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: DeleteFileInitStringUnicode
              • String ID:
              • API String ID: 3559453722-0
              • Opcode ID: 97311c2412812b380f08521188bae99ed0de798ce78c0aa4d3d47d1892d70ff4
              • Instruction ID: cf2c6d7c2d7e210326c788a34b89cf5668a6459b9851272470bf024e78c24ea1
              • Opcode Fuzzy Hash: 97311c2412812b380f08521188bae99ed0de798ce78c0aa4d3d47d1892d70ff4
              • Instruction Fuzzy Hash: 11014F7D90824CAFEB06EAA48941BCD77B9AB45704F5000939240E6082DF74AB148B66
              Function 0284DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA
              • RtlInitUnicodeString.NTDLL(?,?), ref: 0284DA6C
              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0284DABE), ref: 0284DA82
              • NtDeleteFile.NTDLL(?), ref: 0284DAA1
                • Part of subcall function 02834C0C: SysFreeString.OLEAUT32(0284E950), ref: 02834C1A
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: String$AllocDeleteFileFreeInitUnicode
              • String ID:
              • API String ID: 2841551397-0
              • Opcode ID: f33779f7ce2e41976a921b2e3bad5cca291c3d8bde5ae72dadf4bf6fc8dac801
              • Instruction ID: 3f1fd498e678a75a7a03195ff0f445243aff5b33e9ec0eaad2ad750f2d91a6b0
              • Opcode Fuzzy Hash: f33779f7ce2e41976a921b2e3bad5cca291c3d8bde5ae72dadf4bf6fc8dac801
              • Instruction Fuzzy Hash: 5601E17D90420CABEB11EAE4CD51FCEB3BDEB48710F504462E600E6180EB74AB148A65
              Function 02837F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02837F7D
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: DiskFreeSpace
              • String ID:
              • API String ID: 1705453755-0
              • Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
              • Instruction ID: 50fa33735f41c843807b3f86d8101520f8758cbac941e29ebff9731372badd20
              • Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
              • Instruction Fuzzy Hash: 0C1100B5A00209AF9B05CF9DC8809AFF7F9EFCC304B14C569A508EB254E6319A018B90
              Function 02846D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 02846CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02846D41,?,?,?,00000000), ref: 02846D21
              • CoCreateInstance.OLE32(?,00000000,00000005,02846E34,00000000,00000000,02846DB3,?,00000000,02846E23), ref: 02846D9F
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: CreateFromInstanceProg
              • String ID:
              • API String ID: 2151042543-0
              • Opcode ID: 19a70717b9f99420783f53e4124711202c3f69116e11314e0f5ecee19643d98c
              • Instruction ID: ee5ba9f3677ddf308c91769682d0b0d70da62c1b80a4a489de42655ce6992bd6
              • Opcode Fuzzy Hash: 19a70717b9f99420783f53e4124711202c3f69116e11314e0f5ecee19643d98c
              • Instruction Fuzzy Hash: C701F77D60870CAFF705DF68DC5296B7BEDE74AB10B614435F901D2640FA349A00C9A1
              Function 0283A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A76A
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
              • Instruction ID: 30891b67b21b3586e960f67fe98c77f7fb6c77dd7a787ace8f71739bee1351cc
              • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
              • Instruction Fuzzy Hash: 64E0D83EB0021817D316A55C9C81DF6735D975C350F00417EBD48C7341FEA09D404AEA
              Function 0283B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • GetVersionExA.KERNEL32(?,0285C106,00000000,0285C11E), ref: 0283B722
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: 833bdb0fc2f2bdfbc44b5e9af5d46e9fcbb4dd45d38abd0f7083f1a10350b54e
              • Instruction ID: c289563f2104bf3be402d0039a5dd6483f04316f230eb865f58f2de508b8013a
              • Opcode Fuzzy Hash: 833bdb0fc2f2bdfbc44b5e9af5d46e9fcbb4dd45d38abd0f7083f1a10350b54e
              • Instruction Fuzzy Hash: FFF0D4BC9443219FC351EF28D541A197BE5FB48B14F408D29EC99C73A0E7389866CF92
              Function 0283A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0283BDFA,00000000,0283C013,?,?,00000000,00000000), ref: 0283A7AB
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
              • Instruction ID: 8125bfd4a028d75cb6625cd2a85976152a90bc9bf7ae5fe1de7ba3791a1ee98e
              • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
              • Instruction Fuzzy Hash: 3BD05EAE30E2603AA225515E2D94D7B5AECCAC97A1F00843EF5C8C6201E2008C0696F5
              Function 02839194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: LocalTime
              • String ID:
              • API String ID: 481472006-0
              • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
              • Instruction ID: 36279ed80754645ce8ca8595f2490d50e495cf1bcaff86714ca6c0c592f342b0
              • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
              • Instruction Fuzzy Hash: EEA01108808C30228A803B2E0C0223A3088A800A20FC80F80A8F8802E2FE2E022080EB
              Function 0285D59A Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12043076a5366ebb5461ea3a1a8c543de513e28444d30f364bf4840e377266cb
              • Instruction ID: c7b232916a5afe816f97f151e0ded9be56f7e2bfa8181749b74a171183b5f72a
              • Opcode Fuzzy Hash: 12043076a5366ebb5461ea3a1a8c543de513e28444d30f364bf4840e377266cb
              • Instruction Fuzzy Hash: 4651E67A4197D28FC7834F7484953827FF1AF57625B0A01DADC848F0A3E3694897DB51
              Function 028320C4 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
              • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
              • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
              • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
              Function 0283D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0283D225
                • Part of subcall function 0283D1F0: GetProcAddress.KERNEL32(00000000), ref: 0283D209
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
              • API String ID: 1646373207-1918263038
              • Opcode ID: 10f21f5ebaceeed55fa0620d40c6c95fe454a50a56505154fb70d659a8dba21a
              • Instruction ID: 6023fae9b7dd9f2542e663dd4b2c832e5d0a1752fdbc00b45305ebdae48b1345
              • Opcode Fuzzy Hash: 10f21f5ebaceeed55fa0620d40c6c95fe454a50a56505154fb70d659a8dba21a
              • Instruction Fuzzy Hash: 3741886DA882055B560BFBAD740442BB7DED788760360851BF208DB7C1DDB0BC694EEE
              Function 02846E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02846E66
              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02846E77
              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02846E87
              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02846E97
              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02846EA7
              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02846EB7
              • GetProcAddress.KERNEL32 ref: 02846EC7
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressProc$HandleModule
              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
              • API String ID: 667068680-2233174745
              • Opcode ID: 77ab40fb7f59aafd3fc166909d14bc247e6a701df920dbf6e49b820630acffdf
              • Instruction ID: 405371dcaed507dc867b49cfd06f2eae67a1fe45bda40228ea00fec55b775c1d
              • Opcode Fuzzy Hash: 77ab40fb7f59aafd3fc166909d14bc247e6a701df920dbf6e49b820630acffdf
              • Instruction Fuzzy Hash: 10F04CECA897397FB7037F7C9C81827279D9D126843101925B842E5A43FFBD88604B9A
              Function 02832530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028328CE
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Message
              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
              • API String ID: 2030045667-32948583
              • Opcode ID: ca4802617235d4052a82e0b138cd18013397730ae804efa983f917bfecf0d030
              • Instruction ID: bfa3915ef22ec5d784ab5d93d09f9e5bd0c32fd4f0392b2d1054ad484eb8f11c
              • Opcode Fuzzy Hash: ca4802617235d4052a82e0b138cd18013397730ae804efa983f917bfecf0d030
              • Instruction Fuzzy Hash: 3CA1E73CA042648BDF22AA2CCC80B9876E5EB09714F1441E5DD4DDB28ADB759D89CFD1
              Function 0283252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
              Download Yara Rule
              Strings
              • bytes: , xrefs: 0283275D
              • An unexpected memory leak has occurred. , xrefs: 02832690
              • , xrefs: 02832814
              • The unexpected small block leaks are:, xrefs: 02832707
              • Unexpected Memory Leak, xrefs: 028328C0
              • 7, xrefs: 028326A1
              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02832849
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID:
              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
              • API String ID: 0-2723507874
              • Opcode ID: cc2dcd96c03cc6f2435465c7377c6ba568625bdf7f9316523fc589f1506854ed
              • Instruction ID: f3fc76e2c29368965c7f7d0a82c5d9cd5c3c42851d3422f36a92f70e17764968
              • Opcode Fuzzy Hash: cc2dcd96c03cc6f2435465c7377c6ba568625bdf7f9316523fc589f1506854ed
              • Instruction Fuzzy Hash: 4A71A53CA042A88EDB22AA2CCC84BD9B6E5EB09714F1041E5D94DDB289DBB54DC5CF91
              Function 0283BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
              Download Yara Rule
              APIs
              • GetThreadLocale.KERNEL32(00000000,0283C013,?,?,00000000,00000000), ref: 0283BD7E
                • Part of subcall function 0283A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A76A
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Locale$InfoThread
              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
              • API String ID: 4232894706-2493093252
              • Opcode ID: 9892bf007104f695341788893a099d82a4686b2be31176b0b6b0b74c7ad104b9
              • Instruction ID: a410b2d2b2f7b9cac07ab0912021d31e83541ba849259c0dad578e223c6e66b6
              • Opcode Fuzzy Hash: 9892bf007104f695341788893a099d82a4686b2be31176b0b6b0b74c7ad104b9
              • Instruction Fuzzy Hash: BF615E3DB001489BDB06EBACDC90A9F77BB9B48300F549436E241FB745DA75D9098BD2
              Function 0284AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AE40
              • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0284AE57
              • IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AEEB
              • IsBadReadPtr.KERNEL32(?,00000002), ref: 0284AEF7
              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0284AF0B
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Read$HandleModule
              • String ID: KernelBase$LoadLibraryExA
              • API String ID: 2226866862-113032527
              • Opcode ID: 0682bb1cfc70660c73842f1bcdcfedb853a0671eb41967d287c7fb2a4e8593c4
              • Instruction ID: cbd5d2e374e8045ef4afe0c3d5471208291d2883c6ea63f3c123e5ada706687b
              • Opcode Fuzzy Hash: 0682bb1cfc70660c73842f1bcdcfedb853a0671eb41967d287c7fb2a4e8593c4
              • Instruction Fuzzy Hash: 6A3187BE540309BBEB24DF5CCC85F5A77A8AF05764F044114EA58EF281EB74E940CBA5
              Function 0283432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028907C8,?,?,0285D7A8,0283655D,0285C30D), ref: 02834365
              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028907C8,?,?,0285D7A8,0283655D,0285C30D), ref: 0283436B
              • GetStdHandle.KERNEL32(000000F5,028343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028907C8), ref: 02834380
              • WriteFile.KERNEL32(00000000,000000F5,028343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?), ref: 02834386
              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028343A4
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: FileHandleWrite$Message
              • String ID: Error$Runtime error at 00000000
              • API String ID: 1570097196-2970929446
              • Opcode ID: ab93594cdc6e9cecb16de694630aca592fa85504c999b9d2bca0ea3a5cc1b7a3
              • Instruction ID: 34bf6668ffe2e90b517828df6f3574f0b9a4b42f3f8a94ccd86aab78c973c7d4
              • Opcode Fuzzy Hash: ab93594cdc6e9cecb16de694630aca592fa85504c999b9d2bca0ea3a5cc1b7a3
              • Instruction Fuzzy Hash: 76F0B46DAC434079FA12B668AC4AF9D275C5B45F25F180A04BA38E50C0C7E8A0C4CBA7
              Function 0283AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0283ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACE1
                • Part of subcall function 0283ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283AD05
                • Part of subcall function 0283ACC4: GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD20
                • Part of subcall function 0283ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADB6
              • CharToOemA.USER32(?,?), ref: 0283AE83
              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0283AEA0
              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AEA6
              • GetStdHandle.KERNEL32(000000F4,0283AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AEBB
              • WriteFile.KERNEL32(00000000,000000F4,0283AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AEC1
              • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0283AEE3
              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0283AEF9
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
              • String ID:
              • API String ID: 185507032-0
              • Opcode ID: a7a9910d431e859f6cf7900fc644c1c595763e71450b6369230f5ea73d7c9471
              • Instruction ID: 2f41d4a3b21f3762cb8f6a8446cbbce132fdd3bd177a68b161e21dc084b6cf36
              • Opcode Fuzzy Hash: a7a9910d431e859f6cf7900fc644c1c595763e71450b6369230f5ea73d7c9471
              • Instruction Fuzzy Hash: 041170BE5442047AD202FBACCC80F8B77EDAB44700F400916B384D60D1EB75E9448FA7
              Function 0283E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0283E5AD
              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0283E5C9
              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0283E602
              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0283E67F
              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0283E698
              • VariantCopy.OLEAUT32(?,00000000), ref: 0283E6CD
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
              • String ID:
              • API String ID: 351091851-0
              • Opcode ID: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
              • Instruction ID: c636ffa3007aebc3f30ecb90396637d97d845ff5d662c73c4fb5cc646b836592
              • Opcode Fuzzy Hash: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
              • Instruction Fuzzy Hash: 1151D67E90162D9BCB22EF58C880BD9B3BDAF4C300F4041D5E949E7242D674AF858FA1
              Function 02833568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0283358A
              • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028335BD
              • RegCloseKey.ADVAPI32(?,028335E0,00000000,?,00000004,00000000,028335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028335D3
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
              • API String ID: 3677997916-4173385793
              • Opcode ID: 52b7c0591229db538816e3fc35eba4fe39363d668987a25d1cd3b7d01d8518ed
              • Instruction ID: 946a9cb49d15692e6929dc1c01fdf6a2e86afd78b70b152d2e18ff12fcc74042
              • Opcode Fuzzy Hash: 52b7c0591229db538816e3fc35eba4fe39363d668987a25d1cd3b7d01d8518ed
              • Instruction Fuzzy Hash: 4701D87E940318BAFB12DB90CD02BBD77ECEB08B10F1005A1BE04D6680F6789610DBD9
              Function 028480C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848150,?,?,00000000,00000000,?,02848069,00000000,KernelBASE,00000000,00000000,02848090), ref: 02848115
              • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
              • GetProcAddress.KERNEL32(?,?), ref: 0284812D
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressProc$HandleModule
              • String ID: Kernel32$sserddAcorPteG
              • API String ID: 667068680-1372893251
              • Opcode ID: 4fb8c88c661fc3b6cac0f6561d4020540db2929965b6cd8ecd29ca47bb0dbcb4
              • Instruction ID: bd2729bbcf504ea7f3ddcc45c94b7222bbdf976c334a281750c66c0586a60f04
              • Opcode Fuzzy Hash: 4fb8c88c661fc3b6cac0f6561d4020540db2929965b6cd8ecd29ca47bb0dbcb4
              • Instruction Fuzzy Hash: 7801A23CA44308BFEB02EFA8DC41E9EB7BEEB48710F514865B504D7740DA78A9009A65
              Function 0283A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
              Download Yara Rule
              APIs
              • GetThreadLocale.KERNEL32(?,00000000,0283AA6F,?,?,00000000), ref: 0283A9F0
                • Part of subcall function 0283A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A76A
              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0283AA6F,?,?,00000000), ref: 0283AA20
              • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 0283AA2B
              • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0283AA6F,?,?,00000000), ref: 0283AA49
              • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 0283AA54
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Locale$InfoThread$CalendarEnum
              • String ID:
              • API String ID: 4102113445-0
              • Opcode ID: a1f4e68f5202450e1771a53e0804ae77dfe8dc0a270603250dfa49d43cad2048
              • Instruction ID: eaf35aa93d4c00ddc9645ec9d6af28fcb0555aa888a21ecdddee0fc59741e7cb
              • Opcode Fuzzy Hash: a1f4e68f5202450e1771a53e0804ae77dfe8dc0a270603250dfa49d43cad2048
              • Instruction Fuzzy Hash: C301F73E6002587FF707E6BCCD12B6E735DDB41720F514160E651E67C0F6689E108AEA
              Function 0283AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
              Download Yara Rule
              APIs
              • GetThreadLocale.KERNEL32(?,00000000,0283AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0283AAB7
                • Part of subcall function 0283A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A76A
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Locale$InfoThread
              • String ID: eeee$ggg$yyyy
              • API String ID: 4232894706-1253427255
              • Opcode ID: 783f9adf2310e76877463b515793e02f5582f218ce269ca39cc1d3e978261366
              • Instruction ID: f90251725cc5f3b380de738190621809c8fb9ddf2cc0c0ca44404c63d9af608e
              • Opcode Fuzzy Hash: 783f9adf2310e76877463b515793e02f5582f218ce269ca39cc1d3e978261366
              • Instruction Fuzzy Hash: A841267D3041094BE71BAB6DC8902BEB3EBDB81304B504565D5E2C7344E678DD0BCAE2
              Function 02848020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848090,?,?,00000000,?,02847A06,ntdll,00000000,00000000,02847A4B,?,?,00000000), ref: 0284805E
                • Part of subcall function 028480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848150,?,?,00000000,00000000,?,02848069,00000000,KernelBASE,00000000,00000000,02848090), ref: 02848115
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0284811B
                • Part of subcall function 028480C8: GetProcAddress.KERNEL32(?,?), ref: 0284812D
              • GetModuleHandleA.KERNELBASE(?), ref: 02848072
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: HandleModule$AddressProc
              • String ID: AeldnaHeludoMteG$KernelBASE
              • API String ID: 1883125708-1952140341
              • Opcode ID: 56de8852c018baa2dbd74805beab7b209d285e3fc15b69fdddaa10de3172a5f0
              • Instruction ID: 48cd645a1983e91c4a071bb6c73dcaafca825b53992acf557138bf44bb472ba9
              • Opcode Fuzzy Hash: 56de8852c018baa2dbd74805beab7b209d285e3fc15b69fdddaa10de3172a5f0
              • Instruction Fuzzy Hash: F8F0F03D614308BFEB01EFB8DC0291EB7ADEB09740B914960F500D3B10DB78BD009A66
              Function 0284EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(KernelBase,?,0284EF98,UacInitialize,0289137C,0285AFD8,OpenSession,0289137C,0285AFD8,ScanBuffer,0289137C,0285AFD8,ScanString,0289137C,0285AFD8,Initialize), ref: 0284EB9A
              • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0284EBAC
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: IsDebuggerPresent$KernelBase
              • API String ID: 1646373207-2367923768
              • Opcode ID: 133b7841be745cb082c4c5cc423e5709ec3f86222df364a8e72131b0ab7c30e2
              • Instruction ID: a4b74499704542826384b6edd5f0c37b38178f367f0872ff4bdaa207137d70b9
              • Opcode Fuzzy Hash: 133b7841be745cb082c4c5cc423e5709ec3f86222df364a8e72131b0ab7c30e2
              • Instruction Fuzzy Hash: 03D0126D7557282FB90135FC0CC4C1E02CD99055693201E71B027E11D3FA6A88111555
              Function 0283C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(kernel32.dll,?,0285C10B,00000000,0285C11E), ref: 0283C402
              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0283C413
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: GetDiskFreeSpaceExA$kernel32.dll
              • API String ID: 1646373207-3712701948
              • Opcode ID: dfa34963c711bea7a6f31388021f70b32f7eaa0d5b55ce0d67203c69decb8a50
              • Instruction ID: 90e5a1a44d10675157bdafc93297b3d4ca83f53f1a5d0a6aa9569fe93a7e8070
              • Opcode Fuzzy Hash: dfa34963c711bea7a6f31388021f70b32f7eaa0d5b55ce0d67203c69decb8a50
              • Instruction Fuzzy Hash: 35D0C7ACA413219EFF035BB9788063636D89744766F40EC26E545E5242E7BD84244FD9
              Function 0283E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0283E21F
              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0283E23B
              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0283E2B2
              • VariantClear.OLEAUT32(?), ref: 0283E2DB
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: ArraySafe$Bound$ClearIndexVariant
              • String ID:
              • API String ID: 920484758-0
              • Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
              • Instruction ID: c236bb5f5e87bf062847ace1a9fe0e2e463aad54ba697ed85a8e9bc7847d9bf4
              • Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
              • Instruction Fuzzy Hash: 7741F87DA0161D9BCB62DB58CC90BD9B3BDBF48204F0041D5EA4CE7251DA74AF808F91
              Function 0283ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACE1
              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283AD05
              • GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD20
              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADB6
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: FileModuleName$LoadQueryStringVirtual
              • String ID:
              • API String ID: 3990497365-0
              • Opcode ID: 7f476ec004eb1766b1c066890dd98336c1cf02d5ce69ad3fce6f3db3b4f095a1
              • Instruction ID: 30410594b337e93da6598521559619f3456a4153f2e16c43d50377bc12bd9677
              • Opcode Fuzzy Hash: 7f476ec004eb1766b1c066890dd98336c1cf02d5ce69ad3fce6f3db3b4f095a1
              • Instruction Fuzzy Hash: E041507DA00258ABDB22DB68CC84BDAB7FDAB18301F0044E5A648E7241E7759F84CF91
              Function 0283ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACE1
              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283AD05
              • GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD20
              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADB6
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: FileModuleName$LoadQueryStringVirtual
              • String ID:
              • API String ID: 3990497365-0
              • Opcode ID: 110a3fd0bbf80de0ab09b25aad3a4ff50b9b20b6cbcb2639fb9fb80406f303ff
              • Instruction ID: b1c2750f7c492830f2924e593733709ca24249c65831e84b74ae7b3f50bb4770
              • Opcode Fuzzy Hash: 110a3fd0bbf80de0ab09b25aad3a4ff50b9b20b6cbcb2639fb9fb80406f303ff
              • Instruction Fuzzy Hash: 8D41427DA00258ABDB22DB5CCC84BDAB7FDAB18301F0444E5A648E7251E7759F84CF91
              Function 02831C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc86a2aaa6f679b476a1705ac2a896c748f47356724c94e7176277d0f7d083b2
              • Instruction ID: bcc94a6e1f2078ff606b713fa1802e1e5c3c76a8730556e7e8d7601b057537bd
              • Opcode Fuzzy Hash: bc86a2aaa6f679b476a1705ac2a896c748f47356724c94e7176277d0f7d083b2
              • Instruction Fuzzy Hash: 72A1F86E7106000BE71AAA7C9C883BDB3C2DBC5B25F18827EE11DCB785DB64C95287D1
              Function 02839474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
              Download Yara Rule
              APIs
              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02839562), ref: 028394FA
              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02839562), ref: 02839500
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: DateFormatLocaleThread
              • String ID: yyyy
              • API String ID: 3303714858-3145165042
              • Opcode ID: 4ae84e2e46795798ec7b7a33d4665bc354dc04403a73252e4054336359d90f50
              • Instruction ID: ad7761aeaebe541e02de70db969bace22e046e302e162ed945c4601adad2e045
              • Opcode Fuzzy Hash: 4ae84e2e46795798ec7b7a33d4665bc354dc04403a73252e4054336359d90f50
              • Instruction Fuzzy Hash: 7F21307EA002189FDB12DF98C841AEEB3B9EF48710F5140A5E949E7350D7B49E44CBE6
              Function 02836444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: AllocValue
              • String ID: XGw
              • API String ID: 1189806713-3971455815
              • Opcode ID: a5c25d6e9f30c3b30b13676ff8c8a345cb6a091723f3234a331606422db1b7fe
              • Instruction ID: 03e0f9ee7c694a41ca2329bfe621538161aa29e9950aac91c1632a9f9a6bada3
              • Opcode Fuzzy Hash: a5c25d6e9f30c3b30b13676ff8c8a345cb6a091723f3234a331606422db1b7fe
              • Instruction Fuzzy Hash: EEC002BCE50331AAEB02BBBD940460A36ADEB01715F08D925B814C7188FB79C411DF9A
              Function 0284AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AD98
              • IsBadWritePtr.KERNEL32(?,00000004), ref: 0284ADC8
              • IsBadReadPtr.KERNEL32(?,00000008), ref: 0284ADE7
              • IsBadReadPtr.KERNEL32(?,00000004), ref: 0284ADF3
              Memory Dump Source
              • Source File: 00000003.00000002.4496008500.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true
              • Associated: 00000003.00000002.4495994250.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000285D000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496044213.000000000288E000.00000004.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002891000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002986000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000003.00000002.4496097161.0000000002988000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_2830000_x.jbxd
              Similarity
              • API ID: Read$Write
              • String ID:
              • API String ID: 3448952669-0
              • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
              • Instruction ID: a63cbf96bbaf38f45724deadc548ff6bdf9ca2a70efc24546173004992681a48
              • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
              • Instruction Fuzzy Hash: A421A2BDA8061DABDB14DF69CC80BAE77A9EF44366F004111EE14DB344EF34E9119AE4